BGP Security and PKI Hierarchies (was: Re: Wifi Security)
Rodney Joffe
rjoffe at centergate.com
Wed Nov 23 18:48:51 UTC 2005
On Nov 23, 2005, at 11:09 AM, Randy Bush wrote:
>>> not exactly. there are two trusts here. i have to accept that
>>> asns as incompetent at configuration as i are attesting to prefixes
>>> and paths or i won't be able to get to a large part of the net.
>>>
>>> but this is orthogonal to my trust in their competence to attest to
>>> the identity of other asns by cross-signing others' certs. i could
>>> have a business relationship with an asn whose routing competence i
>>> question.
>>
>> What happened to responsibility? Where does it fit in to the issue?
>
> responsibility for what?
sorry to be slow/cryptic.
My issue is that if ISPs a) only announce networks that they know
(for different values of know - but hopefully based on some kind of
trust in the RIR's data) they are authorized to announce, and b) took
responsibility for the behavior of the paths or prefixes they
announce, and the bits that are originated in those paths or
prefixes, and took action to stop the bad behavior, the issue of
trust paths might not be so critical.
I am not arguing in any way with your views or thoughts related to
trust models. I was merely drifting back to the original issue of
rogue players in the path, and suggesting that there is an
alternative method of mitigating the problems caused by those players
that doesn't require protocol work. Ignore the deviation in the thread.
/rlj
More information about the NANOG
mailing list