Re: [lisp-interest] LISP-ALT and security

[Roque Gagliano <rgaglian@fing.edu.uy>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Jul 30, 2008, at 3:56 PM, Erik Nordmark wrote:

> Vince Fuller wrote:
> > > > That was what I was suggesting in my previous email, you can  
> > > > issue  signed material (similar to ROAs for ASNs)  using RPKI  
> > > > certs that ties  the prefixes allocated from RIRs to the RLOCs  
> > > > you select. The issue here is if this is an off-line or on-line  
> > > > (inside lisp??) exchange.
> > > You need to approach it from the EID and not from the RLOC; show  
> > > that  the ETR can speak for the EID prefix. Hence with a PKI  
> > > approach you´d  need to build a certificate infrastrure based on  
> > > the delegation of the  EID prefixes.
> > If EID assignment is rooted at the RIRs and if the RIRs participate  
> > in
> > the authorization system (which one might imagine that must for the  
> > "normal",
> > BGP-based global routing system to work), then this should fall out
> > naturally.
>
> OK. Who would verify the map-reply? The ITR might not run BGP AFAIU.

Yes, it should be the ITR, in that scenario it would have to check a  
signature in the map-reply but no need for BGP but yes it means a  
crypto check an subsequent delay on filling the mapping cache.

> One way would be to send the map-reply back  via the ALT BGP  
> speakers so they they can verify it (akin to how they would verify a  
> routing update). Were you to do that then current filter technology  
> could be applied to the map-replies as well.

Yes I can see that as an option.
r.


> Without something like that I don´t see how the prefix length in the  
> map-reply can be verified.
>
>   Erik

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkiQmQYACgkQnk+WSgHpbO7w3QCfbIQFM3sJ+koyY7055CGBoSzM
sGkAnRD9UnNIXa0vOdRHG2f0DaoCuFHm
=Lybu
-----END PGP SIGNATURE-----