Re: ROVER routing security - its not enumeration

[Paul Vixie <vixie () isc org>]

Doug Montgomery <dougm.tlist () gmail com> writes:

> > ...
>
> I think we debate the superficial here, and without sufficient imagination.
> The enumerations vs query issue is a NOOP as far as I am concerned.    With
> a little imagination, one could envision building a box that takes a feed
> of prefixes observed, builds an aged cache of prefixes of interest, queries
> for their SRO records, re queries for those records before their TTLs
> expire, and maintains a white list of "SRO valid" prefix/origin pairs that
> it downloads to the router.

this sounds like a steady state system. how would you initially populate it,
given for example a newly installed core router having no routing table yet?

if the answer is, rsync from somewhere, then i propose, rsync from RPKI.

if the answer is, turn off security during bootup, then i claim, bad idea.

> ...
>
> Point being, with a little imagination I think one could build components
> with either approach with similar  black box behavior.

i don't think so. and i'm still waiting for a network operator to say what
they think the merits of ROVER might be in comparison to the RPKI approach.
(noting, arguments from non-operators should and do carry less weight.)

-- 
Paul Vixie
KI6YSY