Robert, As Randy already mentioned, Draft already covers an alternate approach where originating CE would sign the announcement and it will come all the way to destination CE to authenticate.
Alternately this mechanism can also help in Inter-AS scenario. In Inter-AS scenario, originating CE can sign the announcement and a "trusted" ASBR on the Inter-AS boundary can authenticate the announcement if customer trusts one of the two ISPs. In such scenario, ISP may use the Key identifier to find the Key associated with the VPN and send unsigned NLRI in its own network once it is authenticated at ASBR boundary. - Pranav -----Original Message----- From: Randy Bush [mailto:[email protected]] Sent: Monday, October 15, 2012 9:10 PM To: Robert Raszuk Cc: Keyur Patel (keyupate); Pranav Mehta (pmehta); Arjun Sreekantiah (asreekan); [email protected]; idr wg; L3VPN Subject: Re: [Idr] draft-ymbk-l3vpn-origination-00.txt > I was not that much fishing here ... just trying to understand if you > are validating CE-CE or PE-PE. If the latter I unfortunately think > there is much less of the value. > > When we originally started to roll out 2547 there was very clear > consensus that real protection must happen on the CE-CE boundary. > Trusting SP where anyone who logs into PE can do anything for any VPN > there was never taken serious. > > Note that the draft could also allow both, but this needs to be > clearly stated in the text. it tries to make that pretty clear This document describes how the originating PE, West, may sign the announcement so that the destination PE, East, may authenticate the NLRI and the Route Distinguisher (RD), , see RFC 4364 [RFC4364] Section 4.3.1. Alternatively, the originating CE router may sign the announcement so that the destination CE router may authenticate the NLRI. >> if they want to use the rpki, then, just as other rpki publishers >> using 1918 space, they would have local trust anchors and certify the >> private space. see draft-ietf-sidr-ltamgmt. > > And what happens in the event of PE-PE validation where only one SP of > L3VPN subscribes to RPKI business ? then they should not use rpki keying but rather their own key infrastructure using the Key Identifier to index their KI randy
