nanog mailing list archives
Re: soBGP deployment
From: Russ White <ruwhite () cisco com>
Date: Mon, 23 May 2005 22:18:26 -0400 (Eastern Daylight Time)
You do need "trusted third party" to act as PKI root signer. We're lucky because unlike other places, we do have hierarchy with ip addresses and ASNs and NIR is the "root" organization.Don't confuse cryptography with security.You need one trusted third party to arrange for the cryptography to scale (work). You need a different third party to help authenticate (secure) the routing data.IMHO, you don't necessarily want these two third parties to be the same.
One of, perhaps, the most confusing aspects of soBGP is that there are four certificates. Why not just do one certificate? Because of this specific separation....
1. We need someone to verify X's key is really X's key. We believe SP's won't, necessarily, want to be in this business.
2. We need someone to verify X is allowed to advertise Y. We believe RR' and SP's will probably be in this business, whether or not they like it.
3. We need some way for a local AS to express various things that don't need to be signed by some third party, connectivity and policy, specifically.
We want different chains of trust--one person to say "this is X's key," another to say: "this is X's address space."
:-) Russ __________________________________ riw () cisco com CCIE <>< Grace Alone
Current thread:
- Re: soBGP deployment, (continued)
- Re: soBGP deployment william(at)elan.net (May 26)
- Re: soBGP deployment Todd Underwood (May 27)
- Re: [s,o]BGP deployment bmanning (May 27)
- Re: [s,o]BGP deployment Randy Bush (May 27)
- Re: [s,o]BGP deployment Lucy E. Lynch (May 27)
- Re: [s,o]BGP deployment bmanning (May 27)
- Re: soBGP deployment Tony Li (May 28)
- Re: soBGP deployment Russ White (May 24)
- Message not available
- Re: soBGP deployment Jay R. Ashworth (May 23)
- Re: soBGP deployment Edward Lewis (May 23)
- Re: soBGP deployment Russ White (May 23)
- Re: soBGP deployment Russ White (May 23)
- Re: soBGP deployment Florian Weimer (May 24)
- Re: soBGP deployment Alexei Roudnev (May 24)