[ipv6hackers] IPv6 security presentation at Hack.lu 2011
Jean-Michel Combes
jeanmichel.combes at gmail.com
Thu Sep 22 21:54:39 CEST 2011
2011/9/22 Arturo Servin <aservin at lacnic.net>:
>
> Not really.
>
> It is getting worse.
Argh .... :s
>
> In RPKI RIRs are issuing certificates to entities that have received resources (IPv4, IPv6 and ASNs) from them.
Yes! Just keep this in mind ...
> Those entities will use those certificates to create other objects (called ROAs) that will be used by routers to perform origin validation in BGP.
>
For SEND, forget this :)
> It has to do nothing with SEND.
Simple example:
RIRs, when allocating a prefix to a LIR (I skip NIR :)), will provide
also, as CA, the cert associated to the allocated prefix. OK?
LIR will allocate a sub-prefix to his customers with the certs (signed
by the LIR, i.e, the LIR becomes a Sub CA) associated to the allocated
sub-prefix, OK ?
Finally, the customer will configure this sub-prefix on his router and
use the cert provided by his LIR with SEND. OK?
So, the host will be able to find a certification path to a CA, the RIR.
Clearer?
Best regards.
JMC.
>
> And there are several documents describing RPKI, not just one. See (basically the ones in the Editors Queue):
>
> http://tools.ietf.org/wg/sidr/
>
> Regards.
> as
>
> On 22 Sep 2011, at 16:24, Jean-Michel Combes wrote:
>
>> 2011/9/22 Jean-Michel Combes <jeanmichel.combes at gmail.com>:
>>> 2011/9/22 Arturo Servin <aservin at lacnic.net>:
>>>> Jean,
>>>>
>>>> On 22 Sep 2011, at 15:31, Jean-Michel Combes wrote:
>>>>
>>>>> Hi Arturo,
>>>>>
>>>>> 2011/9/22 Arturo Servin <aservin at lacnic.net>:
>>>>>> Jean,
>>>>>>
>>>>>> On 21 Sep 2011, at 19:36, Jean-Michel Combes wrote:
>>>>>>
>>> [snip]
>>>>>>> - Auto-configuration
>>>>>>> "SEND is very difficult to deploy (it requires a PKI)"
>>>>>>> s/PKI/RPKI (cf. draft-ietf-csi-send-cert)
>>>>>>> And again, AFAIK, RIRs are currently working to deploy RPKI (e.g.,
>>>>>>> http://www.rpki.net for ARIN) and openssl already allows to generate
>>>>>>> the needed certificates. Now I agree there is still work to deploy
>>>>>>> this technology in product networks.
>>>>>>
>>>>>> I think your are mixing concepts. RPKI does have to do anything with SEND.
>>>>>
>>>>> Please, read the draft
>>>>
>>>> Which one, there are like 10.
>>>
>>> Last version, so *-10 (which has RFC Ed Queue status).
>>>
>>>>
>>>>> and you should see the relationship with SIDR
>>>>> WG works and so RPKI.
>>>>
>>>> The only common thing between RPKI and SEND is that both use PKI. No more.
>>>
>>> OK. At first, I am not a PKI expert. Now, from what I understand (PKI
>>> experts, please, don't hesitate to correct me :)):
>>>
>>> RPKI is based on SPKI, meaning you don't care who is the owner of the
>>> certificate (i.e., DN) but you only need to know an entity is allowed
>>> to provide a service. This is not the case in a classical PKI (i.e.,
>>> applications check DN in the cert).
>>>
>>>>
>>>> I do not see your point to bring up RPKI and RIR work along with SEND. I just cannot find the connection (besides that both are PKIs).
>>>
>>> RPKI is used to certify resources (i.e., AS and Prefixes). The Trust
>>> Anchors (i.e., CA) are normally the RIRs. So, in a SEND deployment,
>>> the hosts should only store RIRs' certificates to get
>>
>> ooops .... wrong manipulation :s
>>
>> ... to get the right certification path. Is it clearer?
>>
>> Best regards.
>>
>> JMC.
>>
>>>
>>>>
>>>> .as
>>>>
>>>> _______________________________________________
>>>> Ipv6hackers mailing list
>>>> Ipv6hackers at lists.si6networks.com
>>>> http://lists.si6networks.com/listinfo/ipv6hackers
>>>>
>>>
>> _______________________________________________
>> Ipv6hackers mailing list
>> Ipv6hackers at lists.si6networks.com
>> http://lists.si6networks.com/listinfo/ipv6hackers
>
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
>
More information about the Ipv6hackers
mailing list