Scott,On Jul 30, 2008, at 5:48 PM, Scott Brim wrote: On 7/30/08 4:23 PM, Roque Gagliano allegedly wrote:
You need to approach it from the EID and not from the RLOC; show that the ETR can speak for the EID prefix. Hence with a PKI approach you´d need to build a certificate infrastrure based on the delegation of the EID prefixes.
which is called RPKI (http://www.ietf.org/internet-drafts/draft-ietf-sidr-arch-03.txt)
which introduces delays.
yep. I just remembered an idea that Noel Chiappa had when we were working on LISP-CONS. Instead of having a key for every site, have just a few keys, say one for each RIR. The ETR sending the Map-Reply does not sign it with its own key. Rather, when the prefix is allocated, the RIR also hands out a signed statement that that site has that prefix. Then the ITR receiving the Map-Reply doesn't need to go look up a key for the ETR, it can simply have those few RIR keys on-hand. Less delay. It's a thought, anyway.
the problem is that what you want to sign is the authorization for a set of RLOC receive traffic destinated for a particular EID prefix, and you want the RLOC to probably change in time. That is not different that the ROA case, where you want the origin ASN to change in time.
r. |