BGP to doom us all

Avi Freedman freedman at freedman.net
Sat Mar 1 22:25:20 UTC 2003


In article <10321.15111.31594 at avi.netaxs.com> Vadim wrote:

: Thank you very much, but no.

: DNS (and DNSSEC) relies on working IP transport for its operation.

Good point.  However -

Routers rely on having enough CPU and RAM to do transport as well,
and router engineers rely on not running offboard boxes in strange
configurations that are more likely to cause that which is the biggest
of problems on the Internet - humans getting confused and stuffing
things up.

Problems abound with every approach.

: Now you effectively propose to make routing (and so operation of IP
: transport) dependent on DNS(SEC).

: Am I the only one who sees the problem?

Probably not, but lots of us see problems with S-BGP as constituted
now.  Lots of work has gone into something that is highly unlikely
to be deployed in any major core network.

: --vadim

Rather than flame each other, maybe we can have a shoot-the-shit
discussion of the underlying problem (lack of authentication of
routing AND of packet sources), perhaps at IETF or NANOG, at the
pre-draft stage.  Maybe people will agree, but it might be productive.

: PS. The only sane method for routing info validation I've seen so far is
:     the plain old public-key crypto signatures.

Avi




More information about the NANOG mailing list