[ipv6hackers] IPv6 security presentation at Hack.lu 2011

Jean-Michel Combes jeanmichel.combes at gmail.com
Thu Sep 22 21:24:24 CEST 2011


2011/9/22 Jean-Michel Combes <jeanmichel.combes at gmail.com>:
> 2011/9/22 Arturo Servin <aservin at lacnic.net>:
>> Jean,
>>
>> On 22 Sep 2011, at 15:31, Jean-Michel Combes wrote:
>>
>>> Hi Arturo,
>>>
>>> 2011/9/22 Arturo Servin <aservin at lacnic.net>:
>>>> Jean,
>>>>
>>>> On 21 Sep 2011, at 19:36, Jean-Michel Combes wrote:
>>>>
> [snip]
>>>>> - Auto-configuration
>>>>> "SEND is very difficult to deploy (it requires a PKI)"
>>>>> s/PKI/RPKI (cf. draft-ietf-csi-send-cert)
>>>>> And again, AFAIK, RIRs are currently working to deploy RPKI (e.g.,
>>>>> http://www.rpki.net for ARIN) and openssl already allows to generate
>>>>> the needed certificates. Now I agree there is still work to deploy
>>>>> this technology in product networks.
>>>>
>>>>   I think your are mixing concepts. RPKI does have to do anything with SEND.
>>>
>>> Please, read the draft
>>
>>        Which one, there are like 10.
>
> Last version, so *-10 (which has RFC Ed Queue status).
>
>>
>>> and you should see the relationship with SIDR
>>> WG works and so RPKI.
>>
>>        The only common thing between RPKI and SEND is that both use PKI. No more.
>
> OK. At first, I am not a PKI expert. Now, from what I understand (PKI
> experts, please, don't hesitate to correct me :)):
>
> RPKI is based on SPKI, meaning you don't care who is the owner of the
> certificate (i.e., DN) but you only need to know an entity is allowed
> to provide a service. This is not the case in a classical PKI (i.e.,
> applications check DN in the cert).
>
>>
>>        I do not see your point to bring up RPKI and RIR work along with SEND. I just cannot find the connection (besides that both are PKIs).
>
> RPKI is used to certify resources (i.e., AS and Prefixes). The Trust
> Anchors (i.e., CA) are normally the RIRs. So, in a SEND deployment,
> the hosts should only store RIRs' certificates to get

ooops .... wrong manipulation :s

... to get the right certification path. Is it clearer?

Best regards.

JMC.

>
>>
>> .as
>>
>> _______________________________________________
>> Ipv6hackers mailing list
>> Ipv6hackers at lists.si6networks.com
>> http://lists.si6networks.com/listinfo/ipv6hackers
>>
>



More information about the Ipv6hackers mailing list