[ipv6hackers] IPv6 security presentation at Hack.lu 2011

[Jean-Michel Combes]

2011/9/22 Arturo Servin <aservin at lacnic.net>:
> Jean,
>
> On 22 Sep 2011, at 15:31, Jean-Michel Combes wrote:
>
>> Hi Arturo,
>>
>> 2011/9/22 Arturo Servin <aservin at lacnic.net>:
>>> Jean,
>>>
>>> On 21 Sep 2011, at 19:36, Jean-Michel Combes wrote:
>>>
[snip]
>>>> - Auto-configuration
>>>> "SEND is very difficult to deploy (it requires a PKI)"
>>>> s/PKI/RPKI (cf. draft-ietf-csi-send-cert)
>>>> And again, AFAIK, RIRs are currently working to deploy RPKI (e.g.,
>>>> http://www.rpki.net for ARIN) and openssl already allows to generate
>>>> the needed certificates. Now I agree there is still work to deploy
>>>> this technology in product networks.
>>>
>>>   I think your are mixing concepts. RPKI does have to do anything with SEND.
>>
>> Please, read the draft
>
>        Which one, there are like 10.

Last version, so *-10 (which has RFC Ed Queue status).

>
>> and you should see the relationship with SIDR
>> WG works and so RPKI.
>
>        The only common thing between RPKI and SEND is that both use PKI. No more.

OK. At first, I am not a PKI expert. Now, from what I understand (PKI
experts, please, don't hesitate to correct me :)):

RPKI is based on SPKI, meaning you don't care who is the owner of the
certificate (i.e., DN) but you only need to know an entity is allowed
to provide a service. This is not the case in a classical PKI (i.e.,
applications check DN in the cert).

>
>        I do not see your point to bring up RPKI and RIR work along with SEND. I just cannot find the connection (besides that both are PKIs).

RPKI is used to certify resources (i.e., AS and Prefixes). The Trust
Anchors (i.e., CA) are normally the RIRs. So, in a SEND deployment,
the hosts should only store RIRs' certificates to get

>
> .as
>
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
>