Validating rights to announce a prefix (was: Public shaming...)

michael.dillon at bt.com michael.dillon at bt.com
Fri Aug 15 04:54:39 CDT 2008


> Okay, I admit I haven't paid the closest attention to RPKI, 
> but I have to ask: Is this a two-way shared-key issue, or 
> (worse) a case where we need to rely on a central entity to 
> be a key clearinghouse?
> 
> The reason why I mention this is obvious -- the entire PKI 
> effort has been stalled (w.r.t. authority) because of this 
> particular issue.

Who says there needs to be a PKI infrastructure in order to
do this? There are other ways of authenticating data. For instance
ARIN could hold the data that they have validated on their own
servers and people could use HTTPS queries to ensure that they
get the answers that they thought they would get.

As for how the address owner delegates the right to announce 
a prefix, they could either operate their own database and
ARIN would have a pointer to it, or they could register the
data in ARIN's database by some secure means. There is no
reason why "secure means" could not include various out of
band authentication systems.

People are too hung up on cryotographically secure PKI systems
which are way overkill for this problem. In fact, it should be
possible to design an architecture that allows for an easy upgrade
to PKI if it should be determined at some future date, that PKI
is necessary.

--Michael Dillon




More information about the NANOG mailing list