BGP Security and PKI Hierarchies (was: Re: Wifi Security)

Rodney Joffe rjoffe at centergate.com
Wed Nov 23 18:48:51 UTC 2005



On Nov 23, 2005, at 11:09 AM, Randy Bush wrote:

>>> not exactly.  there are two trusts here.  i have to accept that
>>> asns as incompetent at configuration as i are attesting to prefixes
>>> and paths or i won't be able to get to a large part of the net.
>>>
>>> but this is orthogonal to my trust in their competence to attest to
>>> the identity of other asns by cross-signing others' certs.  i could
>>> have a business relationship with an asn whose routing competence i
>>> question.
>>
>> What happened to responsibility? Where does it fit in to the issue?
>
> responsibility for what?

sorry to be slow/cryptic.

My issue is that if ISPs  a) only announce networks that they know  
(for different values of know - but hopefully based on some kind of  
trust in the RIR's data) they are authorized to announce, and b) took  
responsibility for the behavior of the paths or prefixes they  
announce, and the bits that are originated in those paths or  
prefixes, and took action to stop the bad behavior, the issue of  
trust paths might not be so critical.

I am not arguing in any way with your views or thoughts related to  
trust models. I was merely drifting back to the original issue of  
rogue players in the path, and suggesting that there is an  
alternative method of mitigating the problems caused by those players  
that doesn't require protocol work. Ignore the deviation in the thread.

/rlj



More information about the NANOG mailing list