Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)

[Randy Bush <randy () psg com>]

> > not exactly.  there are two trusts here.  i have to accept that
> > asns as incompetent at configuration as i are attesting to prefixes
> > and paths or i won't be able to get to a large part of the net.
> >
> > but this is orthogonal to my trust in their competence to attest to
> > the identity of other asns by cross-signing others' certs.  i could
> > have a business relationship with an asn whose routing competence i
> > question.
>
> What happened to responsibility? Where does it fit in to the issue?

responsibility for what?

> As much as they enjoy sharing brew sessions, I don't think I've often  
> seen or heard of 701 and 2914 ever having to point out downstream  
> misbehavior to each other. And I *think* they both have sticks that  
> are big enough that they never have to be waved. So if we can assume  
> that this is true of the other folks of "similar" size, then which  
> are the large parts of the net you can't or won't be able to reach?  
> Or are your peers not prepared to own responsibility for their  
> announcements? And if not, why not? And I refuse to accept the  
> reasoning that seems to have smothered pushback - Networks don't have  
> to deploy new code or equipment or capabilities to control internal  
> or downstream announcements.

uh, i really do not follow what you are saying.  the point is that
the trust model for attestation of identity need not be the same
trust model for the attestation of prefix ownership or of as-path.

in operation, this means that there could be isp- (or ufo-)centric
isp identity certification (a la web of trust, for example) which
could have a very separate cert chain from that of address space
allocation, which, aside from the legacy issue, could come via the
rirs.

randy