[ipv6hackers] IPv6 security presentation at Hack.lu 2011

Arturo Servin aservin at lacnic.net
Thu Sep 22 21:58:43 CEST 2011 

Jean,

	Now with Geoff input I get your point.

-as

On 22 Sep 2011, at 16:54, Jean-Michel Combes wrote:

> 2011/9/22 Arturo Servin <aservin at lacnic.net>:
>> 
>>        Not really.
>> 
>>        It is getting worse.
> 
> Argh .... :s
> 
>> 
>>        In RPKI RIRs are issuing certificates to entities that have received resources (IPv4, IPv6 and ASNs) from them.
> 
> Yes! Just keep this in mind ...
> 
>> Those entities will use those certificates to create other objects (called ROAs) that will be used by routers to perform origin validation in BGP.
>> 
> 
> For SEND, forget this :)
> 
>>        It has to do nothing with SEND.
> 
> Simple example:
> 
> RIRs, when allocating a prefix to a LIR (I skip NIR :)), will provide
> also, as CA, the cert associated to the allocated prefix. OK?
> LIR will allocate a sub-prefix to his customers with the certs (signed
> by the LIR, i.e, the LIR becomes a Sub CA) associated to the allocated
> sub-prefix, OK ?
> Finally, the customer will configure this sub-prefix on his router and
> use the cert provided by his LIR with SEND. OK?
> So, the host will be able to find a certification path to a CA, the RIR.
> 
> Clearer?
> 
> Best regards.
> 
> JMC.
> 
>> 
>>        And there are several documents describing RPKI, not just one. See (basically the ones in the Editors Queue):
>> 
>> http://tools.ietf.org/wg/sidr/
>> 
>> Regards.
>> as
>> 
>> On 22 Sep 2011, at 16:24, Jean-Michel Combes wrote:
>> 
>>> 2011/9/22 Jean-Michel Combes <jeanmichel.combes at gmail.com>:
>>>> 2011/9/22 Arturo Servin <aservin at lacnic.net>:
>>>>> Jean,
>>>>> 
>>>>> On 22 Sep 2011, at 15:31, Jean-Michel Combes wrote:
>>>>> 
>>>>>> Hi Arturo,
>>>>>> 
>>>>>> 2011/9/22 Arturo Servin <aservin at lacnic.net>:
>>>>>>> Jean,
>>>>>>> 
>>>>>>> On 21 Sep 2011, at 19:36, Jean-Michel Combes wrote:
>>>>>>> 
>>>> [snip]
>>>>>>>> - Auto-configuration
>>>>>>>> "SEND is very difficult to deploy (it requires a PKI)"
>>>>>>>> s/PKI/RPKI (cf. draft-ietf-csi-send-cert)
>>>>>>>> And again, AFAIK, RIRs are currently working to deploy RPKI (e.g.,
>>>>>>>> http://www.rpki.net for ARIN) and openssl already allows to generate
>>>>>>>> the needed certificates. Now I agree there is still work to deploy
>>>>>>>> this technology in product networks.
>>>>>>> 
>>>>>>>   I think your are mixing concepts. RPKI does have to do anything with SEND.
>>>>>> 
>>>>>> Please, read the draft
>>>>> 
>>>>>        Which one, there are like 10.
>>>> 
>>>> Last version, so *-10 (which has RFC Ed Queue status).
>>>> 
>>>>> 
>>>>>> and you should see the relationship with SIDR
>>>>>> WG works and so RPKI.
>>>>> 
>>>>>        The only common thing between RPKI and SEND is that both use PKI. No more.
>>>> 
>>>> OK. At first, I am not a PKI expert. Now, from what I understand (PKI
>>>> experts, please, don't hesitate to correct me :)):
>>>> 
>>>> RPKI is based on SPKI, meaning you don't care who is the owner of the
>>>> certificate (i.e., DN) but you only need to know an entity is allowed
>>>> to provide a service. This is not the case in a classical PKI (i.e.,
>>>> applications check DN in the cert).
>>>> 
>>>>> 
>>>>>        I do not see your point to bring up RPKI and RIR work along with SEND. I just cannot find the connection (besides that both are PKIs).
>>>> 
>>>> RPKI is used to certify resources (i.e., AS and Prefixes). The Trust
>>>> Anchors (i.e., CA) are normally the RIRs. So, in a SEND deployment,
>>>> the hosts should only store RIRs' certificates to get
>>> 
>>> ooops .... wrong manipulation :s
>>> 
>>> ... to get the right certification path. Is it clearer?
>>> 
>>> Best regards.
>>> 
>>> JMC.
>>> 
>>>> 
>>>>> 
>>>>> .as
>>>>> 
>>>>> _______________________________________________
>>>>> Ipv6hackers mailing list
>>>>> Ipv6hackers at lists.si6networks.com
>>>>> http://lists.si6networks.com/listinfo/ipv6hackers
>>>>> 
>>>> 
>>> _______________________________________________
>>> Ipv6hackers mailing list
>>> Ipv6hackers at lists.si6networks.com
>>> http://lists.si6networks.com/listinfo/ipv6hackers
>> 
>> _______________________________________________
>> Ipv6hackers mailing list
>> Ipv6hackers at lists.si6networks.com
>> http://lists.si6networks.com/listinfo/ipv6hackers
>> 
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers

More information about the Ipv6hackers mailing list