RPKI chain of trust
Fabiano D'Agostino
fabiano.dagostino96 at gmail.com
Wed Aug 26 09:03:18 UTC 2020
Hi Alex,
thank you. I read that documentation and I was reading this one from page
201:
https://www.ripe.net/support/training/material/bgp-operations-and-security-training-course/BGP-Slides-Single.pdf
It seems that RIRs have a self-signed root certificate. They use this
certificate to sign LIR's certificates and LIR's private key is used to
sign ROAs. I am not very sure about the use of public keys.
Fabiano
Il giorno mer 26 ago 2020 alle ore 10:39 Alex Band <alex at nlnetlabs.nl> ha
scritto:
> Perhaps this clarifies things:
>
>
> https://rpki.readthedocs.io/en/latest/rpki/introduction.html#mapping-the-resource-allocation-hierarchy-into-the-rpki
>
> As well as this section:
>
> https://rpki.readthedocs.io/en/latest/rpki/securing-bgp.html
>
> Cheers,
>
> Alex
>
> > On 26 Aug 2020, at 10:25, Fabiano D'Agostino <
> fabiano.dagostino96 at gmail.com> wrote:
> >
> > Good morning everyone,
> > I have a doubt about RPKI chain of trust. The 5 RIRs hold a self-signed
> root certificate for all the resources they have in the registry. The root
> certificate is used to sign the LIR's certificates that lists LIR's
> resources. LIRs use their private key to sign ROAs. LIR's public key is
> used to verify ROAs signatures and RIRs public key is used to verify LIR's
> signatures.
> >
> > Is this correct?
> >
> > Thanks in advance,
> >
> > Fabiano
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200826/48652b3e/attachment.html>
More information about the NANOG
mailing list