North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
BGP Security and PKI Hierarchies (was: Re: Wifi Security)
- From: Jeffrey I. Schiller
- Date: Tue Nov 22 01:31:38 2005
Oh, I am quite aware of the BGP RP-Sec work and many people have heard
my opinion on this topic, including some on this mailing list. But I'll
Hierarchical relationships breed "reptiles" because of the inherent
asymmetric business relationship that results. The "leaves" *must* do
business with the root, but the root does *not* have to do business with
the "leaves." This results in the root calling the shots, for its own
benefit and profit.
Frankly, I am quite impressed with the address registries. For the most
part they are the exception. I believe this is because they are still
run by or heavily influenced by the "wide eyed academics" (as I have
been accused of being) who believe in the Internet Dream... (you know
who you are!). However there is also a "check and balance" in that if
the registries become unreasonable, people will think about ignoring
them, and they have to know this, if not explicitly, implicitly.
However, I fear creating yet another hierarchy which must work for the
Internet to work. One based on a PKI would not have to be reasonable, as
the "leaves" would have a harder time ignoring it. Piss off the
hierarchy, and forget about being routed.
I would much prefer an arrangement where the PKI for BGP was controlled
by the providers. So an institution would have its "certificate" signed
by its upstream (or one of its upstream) providers. In such a
transaction the balance of power is much more symmetric and therefore
likely to be reasonable.
The providers could cross-certificate to build a "root free" (as in
"default free" zone) mesh (aka "Web of Trust.").
Blaine Christian wrote:
> Jeff you hit a hot button <grin>... You would love the BGP RP-Sec
> stuff going on at IETF etc...
> I "think" root authority for live routing protocols is out of the
> picture. However, you may want to stay tuned and speak up if you feel
> a root authority for routing protocols is bad.
Jeffrey I. Schiller
MIT Network Manager
Information Services and Technology
Massachusetts Institute of Technology
77 Massachusetts Avenue Room W92-190
Cambridge, MA 02139-4307
617.253.0161 - Voice