IP address
Click on the red underlined text to get to the source
... X.509 v3 certificate extensions that
authorize the transfer of the right-to-use for a set of IP addresses
and autonomous system identifiers ...
... Internet service providers (ISPs) and
user organizations. The first binds a list of IP address blocks,
often represented as IP address prefixes, to the subject ...
... user organizations. The first binds a list of IP address blocks,
often represented as IP address prefixes, to the subject (private key
holder) of a certificate ...
... ISP) that has the authority
to transfer custodianship of ("allocate") the set of IP address
blocks and AS identifiers to the subject ...
... certificates provide a scalable means of verifying the right-to-use
for a set of IP address prefixes and AS identifiers. They may be
used by routing protocols ...
...
delegate - transfer of custodianship (that is, the right-to-use) of
an IP address block or AS identifier through issuance of a
certificate ...
... IANA as the regional authorities for management of IP addresses
and AS identifiers. At the time of writing, these include
...
... NCC.
right-to-use - for an IP address prefix, being authorized to specify
the AS that may originate advertisements of the prefix ...
... IP Address Delegation Extension ...
...
IP address space is currently managed by a hierarchy nominally rooted
at IANA, but managed by the RIRs ...
... IANA, but managed by the RIRs. IANA allocates IP address space to
the RIRs, who in turn allocate IP address ...
... IP address space to
the RIRs, who in turn allocate IP address space to Internet service
providers (ISPs), who may allocate IP address ...
... IP address space to Internet service
providers (ISPs), who may allocate IP address space to down stream
providers, customers ...
... providers, customers, etc. The RIRs also may assign IP address space
to organizations who are end entities, i.e., organizations who will
...
... allocation and assignment process).
The IP address delegation extension is intended to enable
verification ...
... verification of the proper delegation of IP address blocks, i.e., of
the authorization of an entity ...
... the authorization of an entity to use or sub-allocate IP address
space. Accordingly, it makes sense to take advantage of the inherent
authoritativeness of the existing administrative framework ...
... authoritativeness of the existing administrative framework for
allocating IP address space. As described in Section 1 above, this
will be achieved by issuing certificates carrying the extension
...
... of an organization to originate a BGP UPDATE advertising a path to a
particular IP address block; see, e.g., [RFC1771], [S-BGP].
...
...
There are two families of IP addresses: IPv4 and IPv6.
...
... IPv6 prefix is 2001:0:200/39.
An IP address or prefix is encoded in the IP address delegation ...
... bits in the last value octet, followed by the "subsequent
octets" that contain the octets of the bit string. (For IP
addresses, the encoding of the length will be just the length.)
...
...
While any contiguous range of IP addresses can be represented by a
set of contiguous prefixes, a more concise representation is achieved
...
... 0x03 0x06 0x02 0x20 0x01 0x00 0x00 0x00
The special case of all IP address blocks, i.e., a prefix of all
zero-bits ...
... 0x03 0x01 0x00
Note that for IP addresses the number of trailing zero-bits is
significant. For example, the DER ...
... This extension SHOULD be CRITICAL. The intended use of this
extension is to connote a right-to-use for the block(s) of IP
addresses identified in the extension. A CA marks the extension as
CRITICAL ...
... If the IPAddressChoice CHOICE contains the inherit element, then the
set of authorized IP addresses for the specified AFI and optional
SAFI ...
... IPAddress type
defines a range of IP addresses in which the most-significant (left-
most) N bits of the address ...
... addresses 2001:0:2:: to 2001:0:2:ffff:ffff:ffff:ffff:ffff.
An IP address prefix is encoded as a BIT STRING. The DER encoding ...
... (element min) and maximum (element max) IP address. Each IP address
is encoded as a BIT STRING ...
... element min) and maximum (element max) IP address. Each IP address
is encoded as a BIT STRING. The semantic ...
... address in an IPAddressRange is that all the unspecified bits
(for the full length of the IP address) are zero-bits. The semantic
...
...
To simplify the comparison of IP address blocks when performing
certification path validation ...
... certification path validation, a maximum IP address MUST contain at
least one bit whose value is 1, i.e., the subsequent octets may not
...
... Certification path validation of a certificate containing the IP
address delegation extension requires additional processing. As each
certificate ...
... certificate in a path is validated, the IP addresses in the IP
address delegation extension of that certificate ...
... certificate in a path is validated, the IP addresses in the IP
address delegation extension of that certificate MUST be subsumed by
...
... delegation extension of that certificate MUST be subsumed by
IP addresses in the IP address delegation extension in the issuer ...
... certificate MUST be subsumed by
IP addresses in the IP address delegation extension in the issuer's
...
... validation
of certificates containing the IP address delegation extension, as
well as all certificates ...
... delegation extension, as
well as all certificates along the path, MUST each contain the IP
address delegation extension. The initial set of allowed address
...
... These extensions represent authorization information, i.e., a right-
to-use for IP addresses or AS identifiers. They were developed to
support a secure version ...
... holder of the private key (the Subject) is authorized to use the IP
addresses or AS identifiers represented in the extension(s). As a
result of this capability model, the Subject ...
...
This normative appendix describes the IP address and AS identifiers
extensions used by conforming PKI ...
... Appendix B -- Examples of IP Address Delegation Extensions ...
... RIRs) to the end-user
organizations, the "right-to-use" for IP address blocks or AS
identifiers.
...
...
The two resources, AS identifiers and IP address blocks, are
currently managed differently. All organizations with the right-to-
use for an AS identifier ...
... authorization directly from an
RIR. Organizations with a right-to-use for an IP address block
receive the authorization either directly from an RIR ...
... Thus the two points in the first cited paragraph above are not true
in the case of AS number and IP address block allocations. The point
of the second cited paragraph is also not applicable as the resources
are not being bound to an identity ...
... ISPs to DSPs and assignment to end
organizations would require the use of chains, at least for IP
address blocks. A description of how the superior's AC should be
located and how it should be processed would have to be provided.
...
... issuer (by configuration or otherwise)."
This is not true in the case of a right-to-use for an IP address
block, which is allocated through a hierarchy. Certification path
...