[ipv6hackers] IPv6 security presentation at Hack.lu 2011
Arturo Servin
aservin at lacnic.net
Thu Sep 22 21:30:41 CEST 2011
Not really.
It is getting worse.
In RPKI RIRs are issuing certificates to entities that have received resources (IPv4, IPv6 and ASNs) from them. Those entities will use those certificates to create other objects (called ROAs) that will be used by routers to perform origin validation in BGP.
It has to do nothing with SEND.
And there are several documents describing RPKI, not just one. See (basically the ones in the Editors Queue):
http://tools.ietf.org/wg/sidr/
Regards.
as
On 22 Sep 2011, at 16:24, Jean-Michel Combes wrote:
> 2011/9/22 Jean-Michel Combes <jeanmichel.combes at gmail.com>:
>> 2011/9/22 Arturo Servin <aservin at lacnic.net>:
>>> Jean,
>>>
>>> On 22 Sep 2011, at 15:31, Jean-Michel Combes wrote:
>>>
>>>> Hi Arturo,
>>>>
>>>> 2011/9/22 Arturo Servin <aservin at lacnic.net>:
>>>>> Jean,
>>>>>
>>>>> On 21 Sep 2011, at 19:36, Jean-Michel Combes wrote:
>>>>>
>> [snip]
>>>>>> - Auto-configuration
>>>>>> "SEND is very difficult to deploy (it requires a PKI)"
>>>>>> s/PKI/RPKI (cf. draft-ietf-csi-send-cert)
>>>>>> And again, AFAIK, RIRs are currently working to deploy RPKI (e.g.,
>>>>>> http://www.rpki.net for ARIN) and openssl already allows to generate
>>>>>> the needed certificates. Now I agree there is still work to deploy
>>>>>> this technology in product networks.
>>>>>
>>>>> I think your are mixing concepts. RPKI does have to do anything with SEND.
>>>>
>>>> Please, read the draft
>>>
>>> Which one, there are like 10.
>>
>> Last version, so *-10 (which has RFC Ed Queue status).
>>
>>>
>>>> and you should see the relationship with SIDR
>>>> WG works and so RPKI.
>>>
>>> The only common thing between RPKI and SEND is that both use PKI. No more.
>>
>> OK. At first, I am not a PKI expert. Now, from what I understand (PKI
>> experts, please, don't hesitate to correct me :)):
>>
>> RPKI is based on SPKI, meaning you don't care who is the owner of the
>> certificate (i.e., DN) but you only need to know an entity is allowed
>> to provide a service. This is not the case in a classical PKI (i.e.,
>> applications check DN in the cert).
>>
>>>
>>> I do not see your point to bring up RPKI and RIR work along with SEND. I just cannot find the connection (besides that both are PKIs).
>>
>> RPKI is used to certify resources (i.e., AS and Prefixes). The Trust
>> Anchors (i.e., CA) are normally the RIRs. So, in a SEND deployment,
>> the hosts should only store RIRs' certificates to get
>
> ooops .... wrong manipulation :s
>
> ... to get the right certification path. Is it clearer?
>
> Best regards.
>
> JMC.
>
>>
>>>
>>> .as
>>>
>>> _______________________________________________
>>> Ipv6hackers mailing list
>>> Ipv6hackers at lists.si6networks.com
>>> http://lists.si6networks.com/listinfo/ipv6hackers
>>>
>>
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
More information about the Ipv6hackers
mailing list