North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)
- From: Rodney Joffe
- Date: Wed Nov 23 13:50:03 2005
On Nov 23, 2005, at 11:09 AM, Randy Bush wrote:
sorry to be slow/cryptic.
not exactly. there are two trusts here. i have to accept that
asns as incompetent at configuration as i are attesting to prefixes
and paths or i won't be able to get to a large part of the net.
but this is orthogonal to my trust in their competence to attest to
the identity of other asns by cross-signing others' certs. i could
have a business relationship with an asn whose routing competence i
What happened to responsibility? Where does it fit in to the issue?
responsibility for what?
My issue is that if ISPs a) only announce networks that they know
(for different values of know - but hopefully based on some kind of
trust in the RIR's data) they are authorized to announce, and b) took
responsibility for the behavior of the paths or prefixes they
announce, and the bits that are originated in those paths or
prefixes, and took action to stop the bad behavior, the issue of
trust paths might not be so critical.
I am not arguing in any way with your views or thoughts related to
trust models. I was merely drifting back to the original issue of
rogue players in the path, and suggesting that there is an
alternative method of mitigating the problems caused by those players
that doesn't require protocol work. Ignore the deviation in the thread.