IETF Logo Mail Archive

Re: [Idr] draft-ymbk-l3vpn-origination-00.txt

Randy Bush <randy@psg.com> Tue, 16 October 2012 04:09 UTC

Return-Path: <randy@psg.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1377521F86C3; Mon, 15 Oct 2012 21:09:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.197
X-Spam-Level:
X-Spam-Status: No, score=-2.197 tagged_above=-999 required=5 tests=[AWL=-0.198, BAYES_00=-2.599, J_CHICKENPOX_13=0.6]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4SVtCiig9tF2; Mon, 15 Oct 2012 21:09:39 -0700 (PDT)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by ietfa.amsl.com (Postfix) with ESMTP id AC31821F86BB; Mon, 15 Oct 2012 21:09:39 -0700 (PDT)
Received: from localhost ([127.0.0.1] helo=rair.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.80 (FreeBSD)) (envelope-from <randy@psg.com>) id 1TNyTJ-000H9B-5X; Tue, 16 Oct 2012 04:09:37 +0000
Date: Mon, 15 Oct 2012 18:09:35 -1000
Message-ID: <m2obk3girk.wl%randy@psg.com>
From: Randy Bush <randy@psg.com>
To: Robert Raszuk <robert@raszuk.net>
In-Reply-To: <CA+b+ERkjmXv3pT7Jw_BbZ_f3hWy5rX6meW3sXGBnpmTu_FVwWA@mail.gmail.com>
References: <20121015175711.5993.31704.idtracker@ietfa.amsl.com> <m2391flias.wl%randy@psg.com> <CA+b+ERk7dzBFLFN7BGEEg7aj0ymoh50GKbMB6CGxCXWqaCCuUg@mail.gmail.com> <m2y5j7gk1r.wl%randy@psg.com> <CA+b+ERkjmXv3pT7Jw_BbZ_f3hWy5rX6meW3sXGBnpmTu_FVwWA@mail.gmail.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
Cc: idr wg <idr@ietf.org>, L3VPN <l3vpn@ietf.org>, luay.jalil@verizon.com, keyupate@cisco.com
Subject: Re: [Idr] draft-ymbk-l3vpn-origination-00.txt
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/idr>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Oct 2012 04:09:40 -0000

> I was not that much fishing here ... just trying to understand if you
> are validating CE-CE or PE-PE. If the latter I unfortunately think
> there is much less of the value.
> 
> When we originally started to roll out 2547 there was very clear
> consensus that real protection must happen on the CE-CE boundary.
> Trusting SP where anyone who logs into PE can do anything for any VPN
> there was never taken serious.
> 
> Note that the draft could also allow both, but this needs to be
> clearly stated in the text.

it tries to make that pretty clear

   This document describes how the originating PE, West, may sign the
   announcement so that the destination PE, East, may authenticate the
   NLRI and the Route Distinguisher (RD), , see RFC 4364 [RFC4364]
   Section 4.3.1.  Alternatively, the originating CE router may sign the
   announcement so that the destination CE router may authenticate the
   NLRI.

>> if they want to use the rpki, then, just as other rpki publishers
>> using 1918 space, they would have local trust anchors and certify the
>> private space.  see draft-ietf-sidr-ltamgmt.
> 
> And what happens in the event of PE-PE validation where only one SP of
> L3VPN subscribes to RPKI business ?

then they should not use rpki keying but rather their own key
infrastructure using the Key Identifier to index their KI

randy

v2.23.0 | Report a Bug | By Email