On Sun, 20 Sep 2009, Jeffrey I. Schiller wrote:
I had a hard time figuring out where to ???chain??? this message, so I stuck it here... Let???s take a step back please. What is the purpose of RPKI/SIDR? Is it to enforce allocation policies? Or is it to prevent ???bad guys??? from spoofing routing advertisements for the purpose of various forms of malfeasance?
I don't believe that any one is trying to enforce allocation policies. Policies are not mentioned at all in the PRKI.
Certainly allocation actions are embodied in the RPKI, but not the policies that guided them.
I do believe these are separate problems. If it is for enforcing allocation policies, it effects the balance of power between the various actors. Today if there is a legal dispute between an allocator and an organization with an allocation, it will be solved through existing civil means. This may take some time. In the meantime the status quo continues (from a technical/operational perspective). With RPKI the allocator can revoke the organizations certificate, while the civil process takes its time, causing harm to the organization that is now un-routable. Don???t think they won???t do the revocation. I have personally seen situations where if one party has ???the switch??? to enforce their will, they use it. On the other hand if it is to prevent ???bad guys??? from spoofing routing, then the trick is to design it so that is doesn???t effect the balance of power between the various *legitimate* actors. Judging from the conversations I have seen, I suspect we don???t have a system that doesn???t effect the balance of power. In my opinion, it is a good idea to work on not changing the balance of power. That may require that the allocation agencies *not* be part of the key hierarchy.
We decided way back that the authorization to originate a route to a prefix must come from the prefix holder. And that identification of a prefix holder comes from the entity that allocated the prefix.
Which decision are you recommending that we change - that we find a source of authorization to originate routes to a prefix *other than* the prefix holder?
Or that we find a way to identify the prefix holder *other than* through the entity that allocated them the prefix?
--Sandy
-Jeff -- ======================================================================== Jeffrey I. Schiller MIT Network Manager Information Services and Technology Massachusetts Institute of Technology 77 Massachusetts Avenue Room W92-190 Cambridge, MA 02139-4307 617.253.0161 - Voice j...@mit.edu ========================================================================
_______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr