nanog mailing list archives
Re: Validating rights to announce a prefix
From: Robert Kisteleki <robert () ripe net>
Date: Fri, 15 Aug 2008 12:17:17 +0200
michael.dillon () bt com wrote:
Okay, I admit I haven't paid the closest attention to RPKI, but I have to ask: Is this a two-way shared-key issue, or (worse) a case where we need to rely on a central entity to be a key clearinghouse?The reason why I mention this is obvious -- the entire PKI effort has been stalled (w.r.t. authority) because of this particular issue.Who says there needs to be a PKI infrastructure in order to do this? There are other ways of authenticating data. For instance ARIN could hold the data that they have validated on their own servers and people could use HTTPS queries to ensure that they get the answers that they thought they would get.
I must point out that HTTPS is still in PKI land - it's just "another one", inviting otherwise unrelated parties (like Verisign et al.) into the system.
As for how the address owner delegates the right to announce a prefix, they could either operate their own database andARIN would have a pointer to it, or they could register the data in ARIN's database by some secure means. There is no reason why "secure means" could not include various out of band authentication systems.
The principles for this are included in the SIDR efforts.
People are too hung up on cryotographically secure PKI systems which are way overkill for this problem. In fact, it should be possible to design an architecture that allows for an easy upgrade to PKI if it should be determined at some future date, that PKI is necessary.
It's hard to switch to a more secure method later on if you start with a less secure one. So, "upgrading" to PKI from something else only makes sense if that previous system was secure enough - but then why would you want to change?
Robert
--Michael Dillon
Current thread:
- Re: Public shaming list for ISPs announcing other ISPs IP space by mis take Paul Ferguson (Aug 14)
- Re: Public shaming list for ISPs announcing other ISPs IP space by mis take Danny McPherson (Aug 14)
- Re: Public shaming list for ISPs announcing other ISPs IP space by mis take Sandy Murphy (Aug 15)
- Re: Public shaming list for ISPs announcing other ISPs IP space by mis take Randy Bush (Aug 15)
- Re: Public shaming list for ISPs announcing other ISPs IP space by mis take Sandy Murphy (Aug 15)
- RE: Validating rights to announce a prefix (was: Public shaming...) michael.dillon (Aug 15)
- Re: Validating rights to announce a prefix Robert Kisteleki (Aug 15)
- RE: Validating rights to announce a prefix michael.dillon (Aug 15)
- RE: Validating rights to announce a prefix (was: Public shaming...) Skywing (Aug 15)
- RE: Validating rights to announce a prefix (was: Public shaming...) michael.dillon (Aug 15)
- RE: Validating rights to announce a prefix (was: Public shaming...) Skywing (Aug 15)
- Re: Validating rights to announce a prefix Robert Kisteleki (Aug 15)
- Re: Public shaming list for ISPs announcing other ISPs IP space by mis take Danny McPherson (Aug 14)