North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: soBGP deployment
One of, perhaps, the most confusing aspects of soBGP is that there are four certificates. Why not just do one certificate? Because of this specific separation....Don't confuse cryptography with security.You do need "trusted third party" to act as PKI root signer. We're lucky because unlike other places, we do have hierarchy with ip addresses and ASNs and NIR is the "root" organization. 1. We need someone to verify X's key is really X's key. We believe SP's won't, necessarily, want to be in this business. 2. We need someone to verify X is allowed to advertise Y. We believe RR' and SP's will probably be in this business, whether or not they like it. 3. We need some way for a local AS to express various things that don't need to be signed by some third party, connectivity and policy, specifically. We want different chains of trust--one person to say "this is X's key," another to say: "this is X's address space." :-) Russ __________________________________ [email protected] CCIE <>< Grace Alone
|