rpki vs. secure dns?

Saku Ytti saku at ytti.fi
Sat Apr 28 10:17:10 UTC 2012


On (2012-04-27 22:05 +0000), Paul Vixie wrote:

> this seems late, compared to the various commitments made to rpki in
> recent years. is anybody taking it seriously?

(disclaimer I'm almost completely clueless on RPKI).

If two fails don't make win, then I think ROVER is better solution, doesn't
need any changes to BGP just little software magic when accepting routes.

People might scared to rely on DNS on accepting routes, but is this really
an issue? I'd anyhow prefer to run verification in 'relaxed' mode, where
routes which fail authorization are logged but accepted if there wasn't
pre-existing covering route. Only drop routes if they fail authorization
_AND_ there is pre-existing covering route.
Maybe after several more years of experience and working out kinks, I could
dare to try to run verification in 'strict' more. But 'relaxed' more
already would stop the real-life problems we've seen of route-hijackings. I
don't care much about unannounced net used for spamming really.

Nick Hilliard mentioned in other forum to me bootstrapping problem. DNS
would then be inherently part of your NMS, so install DNS in your NMS, and
NMS already exists in IGP. So infra for verification should be up, before
BGP is up.

-- 
  ++ytti




More information about the NANOG mailing list