Hi, On Fri, Jan 08, 2010 at 02:50:55PM -0800, Templin, Fred L wrote: > > > > How do you verify those are not malicious? > > > > > > The sending CPE has to supply sufficient credentials to > > > prove that it is authorized to advertise a given set of > > > prefixes. > > > > Which is, as far as I understand, not part of any currently > > standardized RAs. Are there any drafts specifying this? > > RFC3971 is the primary example I had in mind. OK, on re-reading 3971, I agree that it could work if the ISP hands out certificates to the individual routers that cover exactly the IPv6 network that the ISP has assigned to this router (and it would imply that the IPv6 assignment is mostly statical, or you get lots of certificat churn otherwise). So the RAs received from "my neighbours" could indeed be verified against the ISP CA. Still not something I expect to see any time soon... Gert Doering -- Total number of prefixes smaller than registry allocations: 144438 SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
Attachment:
pgpYk8mpj4Fwe.pgp
Description: PGP signature