This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[address-policy-wg] 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) going to Last Call
- Previous message (by thread): [address-policy-wg] 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) going to Last Call
- Next message (by thread): [address-policy-wg] 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) going to Last Call
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Gert Doering
gert at space.net
Mon May 9 16:32:34 CEST 2011
Hi, On Mon, May 09, 2011 at 02:24:15PM +0100, boggits wrote: > Maybe its the fact that RIPE are providing the full solution as well > as the ability to publish the information thats the issue, if rather > than the NCC creating a tool for validation it just published the keys > and the software tools for people to do the validation themselves then > I might be happier. Uh. As far as I understand, the validation is always done by your local setup, and various software options(!) exist for that. The NCC provides a trusted data store where it signs which IP resources belong to what certificate (not "entity"). Based on that, the network holder can sign a ROA "I authorize this AS to announce my network" (and of course that would not be overly useful without some who has that authority to actually attest that "my" bit there). That ROA would currently be stored in the RIPE database, but it could be stored anywhere, with a pointer in your certificate "look *there* for my ROAs". Then whoever is interested runs a software that collects the various bits and pieces from whever they are stored - guided by referrals, or (again!) by local policy - "this guys I trust, their networks I always grab from *that* store, authenticated by *this* trust anchor". One such solution is Randy's RCynic, another one would be what BBN (Steve Kent) has developed, and a third one would be the RIPE NCC validator. Google sends me to these links for a list of RPKI validation tools and their interop tests: http://www.ietf.org/proceedings/80/slides/sidr-12.pdf http://www.ietf.org/proceedings/80/slides/sidr-10.pdf This stuff then generates a list of <network|AS> pairs from the data, and sends it to your routers - no crypto involved on the routers, no 10000-lines-prefixlists for peer validation, very lightweight operation - where it is then used for policy decisions. Gert Doering -- Address Policy WG -- did you enable IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
- Previous message (by thread): [address-policy-wg] 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) going to Last Call
- Next message (by thread): [address-policy-wg] 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) going to Last Call
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]