ROVER routing security - its not enumeration
Paul Vixie
vixie at isc.org
Sun Jun 10 21:53:55 UTC 2012
Doug Montgomery <dougm.tlist at gmail.com> writes:
> > ...
>
> I think we debate the superficial here, and without sufficient imagination.
> The enumerations vs query issue is a NOOP as far as I am concerned. With
> a little imagination, one could envision building a box that takes a feed
> of prefixes observed, builds an aged cache of prefixes of interest, queries
> for their SRO records, re queries for those records before their TTLs
> expire, and maintains a white list of "SRO valid" prefix/origin pairs that
> it downloads to the router.
this sounds like a steady state system. how would you initially populate it,
given for example a newly installed core router having no routing table yet?
if the answer is, rsync from somewhere, then i propose, rsync from RPKI.
if the answer is, turn off security during bootup, then i claim, bad idea.
> ...
>
> Point being, with a little imagination I think one could build components
> with either approach with similar black box behavior.
i don't think so. and i'm still waiting for a network operator to say what
they think the merits of ROVER might be in comparison to the RPKI approach.
(noting, arguments from non-operators should and do carry less weight.)
--
Paul Vixie
KI6YSY
More information about the NANOG
mailing list