Re: [Idr] draft-ymbk-l3vpn-origination-00.txt

[Robert Raszuk <robert@raszuk.net>]

Hey Pranav,

Do you really believe that each 7-11 or Walmart store will be
subscribing to global RPKI or building their own key infrastructure? I
do not. It seems few orders of magnitude easier to sign advertisements
at the src/spoke and validate signature at the hub site by the same
very network admin residing in the enterprise hub location. That is
something we should define in BGP for VPNs and not trying to reuse
origin validation concept which works well (for what it is designed to
do) in the Internet case.

Btw ,,, I do not buy any "trusted" ASBR business ;)

Best,
R.

On Tue, Oct 16, 2012 at 11:02 PM, Pranav Mehta (pmehta)
<pmehta@cisco.com> wrote:
> Robert,
>
> As Randy already mentioned, Draft already covers an alternate approach where originating CE would sign the announcement and it will come all the way to destination CE to authenticate.
>
> Alternately this mechanism can also help in Inter-AS scenario.  In Inter-AS scenario, originating CE can sign the announcement and a "trusted" ASBR on the Inter-AS boundary can authenticate the announcement if customer trusts one of the two ISPs.    In such scenario, ISP may use the Key identifier to find the Key associated with the VPN and send unsigned NLRI in its own network once it is authenticated at ASBR boundary.
>
> - Pranav
>
> -----Original Message-----
> From: Randy Bush [mailto:randy@psg.com]
> Sent: Monday, October 15, 2012 9:10 PM
> To: Robert Raszuk
> Cc: Keyur Patel (keyupate); Pranav Mehta (pmehta); Arjun Sreekantiah (asreekan); luay.jalil@verizon.com; idr wg; L3VPN
> Subject: Re: [Idr] draft-ymbk-l3vpn-origination-00.txt
>
>> I was not that much fishing here ... just trying to understand if you
>> are validating CE-CE or PE-PE. If the latter I unfortunately think
>> there is much less of the value.
>>
>> When we originally started to roll out 2547 there was very clear
>> consensus that real protection must happen on the CE-CE boundary.
>> Trusting SP where anyone who logs into PE can do anything for any VPN
>> there was never taken serious.
>>
>> Note that the draft could also allow both, but this needs to be
>> clearly stated in the text.
>
> it tries to make that pretty clear
>
>    This document describes how the originating PE, West, may sign the
>    announcement so that the destination PE, East, may authenticate the
>    NLRI and the Route Distinguisher (RD), , see RFC 4364 [RFC4364]
>    Section 4.3.1.  Alternatively, the originating CE router may sign the
>    announcement so that the destination CE router may authenticate the
>    NLRI.
>
>>> if they want to use the rpki, then, just as other rpki publishers
>>> using 1918 space, they would have local trust anchors and certify the
>>> private space.  see draft-ietf-sidr-ltamgmt.
>>
>> And what happens in the event of PE-PE validation where only one SP of
>> L3VPN subscribes to RPKI business ?
>
> then they should not use rpki keying but rather their own key infrastructure using the Key Identifier to index their KI
>
> randy