Re: [Idr] draft-ymbk-l3vpn-origination-00.txt
Randy Bush <randy@psg.com> Tue, 16 October 2012 04:09 UTC
Return-Path: <randy@psg.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1377521F86C3; Mon, 15 Oct 2012 21:09:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.197
X-Spam-Level:
X-Spam-Status: No, score=-2.197 tagged_above=-999 required=5 tests=[AWL=-0.198, BAYES_00=-2.599, J_CHICKENPOX_13=0.6]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4SVtCiig9tF2; Mon, 15 Oct 2012 21:09:39 -0700 (PDT)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by ietfa.amsl.com (Postfix) with ESMTP id AC31821F86BB; Mon, 15 Oct 2012 21:09:39 -0700 (PDT)
Received: from localhost ([127.0.0.1] helo=rair.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.80 (FreeBSD)) (envelope-from <randy@psg.com>) id 1TNyTJ-000H9B-5X; Tue, 16 Oct 2012 04:09:37 +0000
Date: Mon, 15 Oct 2012 18:09:35 -1000
Message-ID: <m2obk3girk.wl%randy@psg.com>
From: Randy Bush <randy@psg.com>
To: Robert Raszuk <robert@raszuk.net>
In-Reply-To: <CA+b+ERkjmXv3pT7Jw_BbZ_f3hWy5rX6meW3sXGBnpmTu_FVwWA@mail.gmail.com>
References: <20121015175711.5993.31704.idtracker@ietfa.amsl.com> <m2391flias.wl%randy@psg.com> <CA+b+ERk7dzBFLFN7BGEEg7aj0ymoh50GKbMB6CGxCXWqaCCuUg@mail.gmail.com> <m2y5j7gk1r.wl%randy@psg.com> <CA+b+ERkjmXv3pT7Jw_BbZ_f3hWy5rX6meW3sXGBnpmTu_FVwWA@mail.gmail.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
Cc: idr wg <idr@ietf.org>, L3VPN <l3vpn@ietf.org>, luay.jalil@verizon.com, keyupate@cisco.com
Subject: Re: [Idr] draft-ymbk-l3vpn-origination-00.txt
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/idr>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Oct 2012 04:09:40 -0000
> I was not that much fishing here ... just trying to understand if you > are validating CE-CE or PE-PE. If the latter I unfortunately think > there is much less of the value. > > When we originally started to roll out 2547 there was very clear > consensus that real protection must happen on the CE-CE boundary. > Trusting SP where anyone who logs into PE can do anything for any VPN > there was never taken serious. > > Note that the draft could also allow both, but this needs to be > clearly stated in the text. it tries to make that pretty clear This document describes how the originating PE, West, may sign the announcement so that the destination PE, East, may authenticate the NLRI and the Route Distinguisher (RD), , see RFC 4364 [RFC4364] Section 4.3.1. Alternatively, the originating CE router may sign the announcement so that the destination CE router may authenticate the NLRI. >> if they want to use the rpki, then, just as other rpki publishers >> using 1918 space, they would have local trust anchors and certify the >> private space. see draft-ietf-sidr-ltamgmt. > > And what happens in the event of PE-PE validation where only one SP of > L3VPN subscribes to RPKI business ? then they should not use rpki keying but rather their own key infrastructure using the Key Identifier to index their KI randy
- Re: [Idr] draft-ymbk-l3vpn-origination-00.txt Robert Raszuk
- [Idr] draft-ymbk-l3vpn-origination-00.txt Randy Bush
- Re: [Idr] draft-ymbk-l3vpn-origination-00.txt Robert Raszuk
- Re: [Idr] draft-ymbk-l3vpn-origination-00.txt Randy Bush
- Re: [Idr] draft-ymbk-l3vpn-origination-00.txt Randy Bush
- Re: [Idr] draft-ymbk-l3vpn-origination-00.txt Pranav Mehta (pmehta)
- Re: [Idr] draft-ymbk-l3vpn-origination-00.txt Robert Raszuk
- Re: [Idr] draft-ymbk-l3vpn-origination-00.txt Pranav Mehta (pmehta)
- Re: [Idr] draft-ymbk-l3vpn-origination-00.txt robert@raszuk.net
- Re: [Idr] draft-ymbk-l3vpn-origination-00.txt Randy Bush
- Re: [Idr] draft-ymbk-l3vpn-origination-00.txt Robert Raszuk
- Re: [Idr] draft-ymbk-l3vpn-origination-00.txt Robert Raszuk
- Re: [Idr] draft-ymbk-l3vpn-origination-00.txt Arjun Sreekantiah (asreekan)
- Re: [Idr] draft-ymbk-l3vpn-origination-00.txt Robert Raszuk
- Re: [Idr] draft-ymbk-l3vpn-origination-00.txt Arjun Sreekantiah (asreekan)
- Re: [Idr] draft-ymbk-l3vpn-origination-00.txt Robert Raszuk