Re: [lisp-interest] LISP-ALT and security

[Scott Brim <swb@employees.org>]

On 7/30/08 4:23 PM, Roque Gagliano allegedly wrote:
> > >
> > You need to approach it from the EID and not from the RLOC; show that 
> > the ETR can speak for the EID prefix. Hence with a PKI approach you´d 
> > need to build a certificate infrastrure based on the delegation of the 
> > EID prefixes.
>
> which is called RPKI 
> (http://www.ietf.org/internet-drafts/draft-ietf-sidr-arch-03.txt)

which introduces delays.

I just remembered an idea that Noel Chiappa had when we were working on 
LISP-CONS.  Instead of having a key for every site, have just a few 
keys, say one for each RIR.  The ETR sending the Map-Reply does not sign 
it with its own key.  Rather, when the prefix is allocated, the RIR also 
hands out a signed statement that that site has that prefix.  Then the 
ITR receiving the Map-Reply doesn't need to go look up a key for the 
ETR, it can simply have those few RIR keys on-hand.  Less delay.  It's a 
thought, anyway.