Re: [lisp-interest] LISP-ALT and security

[bensons@riot.queuefull.net]

Though, the replying eTR may not represent the whole RIR-assigned prefix. Perhaps you're saying that the RIR would sign a statement indicating how the LIR may/will allocate subnets (I.e. /24 nets) from the supernet? And these would be distributed to iTR nodes beforehand or looked up against a directory or table on the fly? That doesn't sound practical, but maybe I don't understand correctly.

-Benson


------Original Message------
From: Scott Brim
Sender: owner-list-interest@lists.civil-tongue.net
To: Roque Gagliano
Cc: lisp-interest@lists.civil-tongue.net
Sent: Jul 30, 2008 11:48
Subject: Re: [lisp-interest] LISP-ALT and security

On 7/30/08 4:23 PM, Roque Gagliano allegedly wrote:
>>>
>> You need to approach it from the EID and not from the RLOC; show that 
>> the ETR can speak for the EID prefix. Hence with a PKI approach you´d 
>> need to build a certificate infrastrure based on the delegation of the 
>> EID prefixes.
> 
> which is called RPKI 
> (http://www.ietf.org/internet-drafts/draft-ietf-sidr-arch-03.txt)

which introduces delays.

I just remembered an idea that Noel Chiappa had when we were working on 
LISP-CONS.  Instead of having a key for every site, have just a few 
keys, say one for each RIR.  The ETR sending the Map-Reply does not sign 
it with its own key.  Rather, when the prefix is allocated, the RIR also 
hands out a signed statement that that site has that prefix.  Then the 
ITR receiving the Map-Reply doesn't need to go look up a key for the 
ETR, it can simply have those few RIR keys on-hand.  Less delay.  It's a 
thought, anyway.


Sent via BlackBerry from T-Mobile