rpki vs. secure dns?

Russ White russw at riw.us
Tue May 1 06:19:52 CDT 2012


Randy:

> as i agree that there is a problem, i *very* eagerly await your proposal

Reality: A few years back there were a half a dozen options proposed.
soBGP, pgBGP, IRR based solutions, etc. Just recently PSVs were
discussed and dismissed as a live option.

Why?

1. Only S-BGP/BGP-SEC will solve the "man in the middle attack," within
the parameter of "I won't ever tell anyone what any of my policies are!"
This single requirement --solving one specific policy issue without
advertising policy-- has been the center pin of the entire discussion
for a number of years.

2. Any time someone proposed something different, long threads ensue
with lots of talk about how these folks don't know what they're talking
about, etc., but which contain very little technical discussion, or
thoughts on tradeoffs, etc. Any technical discussion is limited to
taking out the "man in the middle attack," and beating it over the heads
of those making the proposal --repeatedly.

So the bottom line is this: The current requirements were written around
the ability of one particular solution to solve one particular policy
issue in a way that's acceptable to a very small set of operators.

A single root has been a requirement for a long time, as well --we had
this discussion a very long time ago. No other solution proposed had a
single root, and S-BGP/BGP-SEC didn't have to use a single root. But a
single root somehow made it into the requirements, and it's stayed there
ever since.

If you want honestly more options, go back and rethink your requirements.

Russ




More information about the NANOG mailing list