On Sun, 20 Sep 2009, Jeffrey I. Schiller wrote:
I had a hard time figuring out where to ???chain??? this message, so I
stuck it here...
Let???s take a step back please.
What is the purpose of RPKI/SIDR? Is it to enforce allocation
policies? Or is it to prevent ???bad guys??? from spoofing routing
advertisements for the purpose of various forms of malfeasance?
I don't believe that any one is trying to enforce allocation policies.
Policies are not mentioned at all in the PRKI.
Certainly allocation actions are embodied in the RPKI, but not the
policies that guided them.
I do believe these are separate problems.
If it is for enforcing allocation policies, it effects the balance of
power between the various actors. Today if there is a legal dispute
between an allocator and an organization with an allocation, it will
be solved through existing civil means. This may take some time. In
the meantime the status quo continues (from a technical/operational
perspective). With RPKI the allocator can revoke the organizations
certificate, while the civil process takes its time, causing harm to
the organization that is now un-routable. Don???t think they won???t do
the revocation. I have personally seen situations where if one party
has ???the switch??? to enforce their will, they use it.
On the other hand if it is to prevent ???bad guys??? from spoofing
routing, then the trick is to design it so that is doesn???t effect the
balance of power between the various *legitimate* actors. Judging from
the conversations I have seen, I suspect we don???t have a system that
doesn???t effect the balance of power.
In my opinion, it is a good idea to work on not changing the balance
of power. That may require that the allocation agencies *not* be part
of the key hierarchy.
We decided way back that the authorization to originate a route to a
prefix must come from the prefix holder. And that identification of a
prefix holder comes from the entity that allocated the prefix.
Which decision are you recommending that we change - that we find a source
of authorization to originate routes to a prefix *other than* the prefix
holder?
Or that we find a way to identify the prefix holder *other than* through
the entity that allocated them the prefix?
--Sandy
-Jeff
--
========================================================================
Jeffrey I. Schiller
MIT Network Manager
Information Services and Technology
Massachusetts Institute of Technology
77 Massachusetts Avenue Room W92-190
Cambridge, MA 02139-4307
617.253.0161 - Voice
j...@mit.edu
========================================================================
_______________________________________________
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr
