Hi Pranav, Help me understand here that if we are talking about statically configured key on the CEs would it be not better to consider e-signature from verisign instead ?
Thx, R. ----- Reply message ----- From: "Pranav Mehta (pmehta)" <[email protected]> To: "Robert Raszuk" <[email protected]> Cc: "Randy Bush" <[email protected]>, "Keyur Patel (keyupate)" <[email protected]>, "Arjun Sreekantiah (asreekan)" <[email protected]>, "[email protected]" <[email protected]>, "idr wg" <[email protected]>, "L3VPN" <[email protected]> Subject: [Idr] draft-ymbk-l3vpn-origination-00.txt Date: Wed, Oct 17, 2012 10:25 Hi Robert, Thanks for your feedback. My comments inline.. #P# -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Robert Raszuk Sent: Tuesday, October 16, 2012 9:47 PM To: Pranav Mehta (pmehta) Cc: Randy Bush; Keyur Patel (keyupate); Arjun Sreekantiah (asreekan); [email protected]; idr wg; L3VPN Subject: Re: [Idr] draft-ymbk-l3vpn-origination-00.txt Hey Pranav, Do you really believe that each 7-11 or Walmart store will be subscribing to global RPKI or building their own key infrastructure? I do not. It seems few orders of magnitude easier to sign advertisements at the src/spoke and validate signature at the hub site by the same very network admin residing in the enterprise hub location. That is something we should define in BGP for VPNs and not trying to reuse origin validation concept which works well (for what it is designed to do) in the Internet case. #P# I don't think 7-11/Walmart will be subscribing to global RPKI or even build their own infrastructure. RPKI makes it easier to distribute the key but the end CE can be configured to use a static Key and this draft doesn't preclude provisioning using static configuration. As far as all the sites belong to same network admin, same key can be provisioned on all the sites and in such case we don't need to get RPKI infrastructure involved. If it's not clear from the draft, we can definitely change the wording to clarify this. Btw ,,, I do not buy any "trusted" ASBR business ;) #P# In most of the cases I agree that this asymmetric solution might not be preferred but think about a scenario where a VPN has few sites connected via non-trusted provided and most of the other (may be in thousands) sites are connected to a trusted provider. Instead of upgrading all these sites to generated signed NLRIs the VPN can choose to just add the authentication at the ASBR boundary to protect prefix origination from un-trusted network. The goal of this draft is to allow the flexibility by adding Key Identifier so that VPN is not forced to upgrade all the sites under this scenario. Thanks, -- Pranav
