nanog mailing list archives
Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)
From: Randy Bush <randy () psg com>
Date: Wed, 23 Nov 2005 08:09:36 -1000
not exactly. there are two trusts here. i have to accept that asns as incompetent at configuration as i are attesting to prefixes and paths or i won't be able to get to a large part of the net. but this is orthogonal to my trust in their competence to attest to the identity of other asns by cross-signing others' certs. i could have a business relationship with an asn whose routing competence i question.What happened to responsibility? Where does it fit in to the issue?
responsibility for what?
As much as they enjoy sharing brew sessions, I don't think I've often seen or heard of 701 and 2914 ever having to point out downstream misbehavior to each other. And I *think* they both have sticks that are big enough that they never have to be waved. So if we can assume that this is true of the other folks of "similar" size, then which are the large parts of the net you can't or won't be able to reach? Or are your peers not prepared to own responsibility for their announcements? And if not, why not? And I refuse to accept the reasoning that seems to have smothered pushback - Networks don't have to deploy new code or equipment or capabilities to control internal or downstream announcements.
uh, i really do not follow what you are saying. the point is that the trust model for attestation of identity need not be the same trust model for the attestation of prefix ownership or of as-path. in operation, this means that there could be isp- (or ufo-)centric isp identity certification (a la web of trust, for example) which could have a very separate cert chain from that of address space allocation, which, aside from the legacy issue, could come via the rirs. randy
Current thread:
- Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security) Sandy Murphy (Nov 22)
- Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security) Randy Bush (Nov 22)
- Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security) Steven M. Bellovin (Nov 22)
- Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security) Randy Bush (Nov 22)
- Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security) Steven M. Bellovin (Nov 22)
- Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security) Randy Bush (Nov 22)
- Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security) william(at)elan.net (Nov 22)
- Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security) Bill Woodcock (Nov 22)
- Re: BGP Security and PKI Hierarchies Florian Weimer (Nov 24)
- Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security) Steven M. Bellovin (Nov 22)
- Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security) Rodney Joffe (Nov 23)
- Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security) Randy Bush (Nov 23)
- Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security) Rodney Joffe (Nov 23)
- Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security) Randy Bush (Nov 23)
- Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security) Randy Bush (Nov 22)
- Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security) Andre Oppermann (Nov 23)
- Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security) Steven J. Sobol (Nov 22)
- Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security) Randy Bush (Nov 22)
- Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security) Steven J. Sobol (Nov 22)
- Re: BGP Security and PKI Hierarchies Florian Weimer (Nov 24)
- Re: BGP Security and PKI Hierarchies Valdis . Kletnieks (Nov 25)
- Re: BGP Security and PKI Hierarchies Florian Weimer (Nov 26)