Re: [lisp-interest] Securing the mapping response

[Roque Gagliano <rgaglian@fing.edu.uy>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Scott,

Still, if you are only authoritative for 240.0.0.0/24 and announce  
that on the ALT-BGP session you will receive the map-request from the  
ALT-TOPOLOGY for any flow with destination 240.0.0.1. If you send a  
MAP-REPLY for 240.0.0.0/16, you will be poisoning the ITR mapping cache.

am I missing anything?

Roque



On Jul 30, 2008, at 1:28 PM, Scott Brim wrote:

> On 7/30/08 11:33 AM, Roque Gagliano allegedly wrote:
> > Hi,
> > Today the issue was rising about how to certify the "right of use"  
> > of an EID when I get a map-response.
> > Today SIDR is developing what is called a ROA that matches IP  
> > prefixes to ASN with right of use. Can't we use the certificates  
> > and sing (still using CMS wrapping) instead of the ASN the RLOC or  
> > the list of RLOC. Do you believe this could be useful?
>
> Yes we could if we need it.  I'm not sure how useful it would be.   
> ETRs are already authenticated when they join the ALT and attract  
> Map-Requests to themselves, and they use a nonce in the Map-Reply.   
> Is that enough?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkiQhwAACgkQnk+WSgHpbO65ZQCfTvaAfMTW5HKydLMl0y/MTBmt
7o4AoIz364+Ok+gMvCx3OtrXnujq5KN9
=lpXW
-----END PGP SIGNATURE-----