nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)

From: "Steven M. Bellovin" <smb () cs columbia edu>
Date: Wed, 23 Nov 2005 23:01:01 -0500

In message <17285.13981.462449.539200 () roam psg com>, Randy Bush writes:

We need prefix ownership certs; these need a special field identifying the
prefix owned.  (See RFC 3779, which also describes AS certificates).  We
need the latter in CA form, for delegation.


sorry to complicate, by iana allocates as ranges which are then
subbed to rirs.  so the ca bit could be set on these



I thought I'd mentioned earlier that we may want two different forms of 
prefix cert, with with CA and one without.  The one without goes in the 
routers; the one with CA is used to issue certs to downstreams.

Rationale for the two certs: if a router is badly 0wned, someone can 
steal its private key and use it for address hijacking.  But that sort 
of gross abuse of an entire prefix is likely to be noticed.  A CA cert 
can be used to issue certs for longer prefixes, i.e., target one 
customer, rather than an entire ISP.

                --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Previous By Date Next
Previous By Thread Next

Current thread: