> I was not that much fishing here ... just trying to understand if you > are validating CE-CE or PE-PE. If the latter I unfortunately think > there is much less of the value. > > When we originally started to roll out 2547 there was very clear > consensus that real protection must happen on the CE-CE boundary. > Trusting SP where anyone who logs into PE can do anything for any VPN > there was never taken serious. > > Note that the draft could also allow both, but this needs to be > clearly stated in the text.
it tries to make that pretty clear This document describes how the originating PE, West, may sign the announcement so that the destination PE, East, may authenticate the NLRI and the Route Distinguisher (RD), , see RFC 4364 [RFC4364] Section 4.3.1. Alternatively, the originating CE router may sign the announcement so that the destination CE router may authenticate the NLRI. >> if they want to use the rpki, then, just as other rpki publishers >> using 1918 space, they would have local trust anchors and certify the >> private space. see draft-ietf-sidr-ltamgmt. > > And what happens in the event of PE-PE validation where only one SP of > L3VPN subscribes to RPKI business ? then they should not use rpki keying but rather their own key infrastructure using the Key Identifier to index their KI randy
