Re: [sidr] Last Call: <draft-ietf-sidr-origin-ops-21.txt> (RPKI-Based Origin Validation Operation) to Best Current Practice

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



how about

   To relieve routers of the load of performing certificate validation,
   cryptographic operations, etc., the RPKI-Router protocol, [RFC6810],
   does not provide object-based security to the router.  I.e. the
   router may not validate the data cryptographically from a well-known
   trust anchor.  The router trusts the cache to provide correct data
   and relies on transport based security for the data received from the
   cache.  Therefore the authenticity and integrity of the data from the
   cache should be well protected, see Section 7 of [RFC6810].

   As RPKI-based origin validation relies on the availability of RPKI
   data, operators SHOULD locate RPKI caches close to routers that
   require these data and services in order to minimize the impact of
   likely failures in local routing, intermediate devices, long
   circuits, etc.  One also should consider trust boundaries, routing
   bootstrap reachability, etc.  E.g. a router should bootstrap from a
   chache which is reachable with minimal reliance on other
   infrastructure such as DNS or routing protocols.

randy




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]