In message <20150602151233.ga29...@doit-2nw1mrfy-x.doit.wisc.edu>, "Dale W. Car der" writes: > Thus spake Roland Dobbins (rdobb...@arbor.net) on Tue, Jun 02, 2015 at 03:05: > 13PM +0700: > > > > On 2 Jun 2015, at 11:07, Mark Andrews wrote: > > > > >If you have secure BGP deployed then you could extend the authenication > > >to securely authenticate source addresses you emit and automate > > >BCP38 filter generation and then you wouldn't have to worry about > > >DNS, NTP, CHARGEN etc. reflecting spoofed traffic > > > > This can be and is done by networks which originate routes and which > > practice good network hygiene, no PKI required.
But it is a manual process or trust the information added to this database is correct. Automating the process even if it is only at the customer/isp edge were customer == isp is tagged as a exception would be a big win. > > But then we get into the customer of my customer (of my customer, of my > > customer . . .) problem, and this aren't quite so clear. > > > > There are also potentially significant drawbacks to incorporating PKI into > > the routing space, including new potential DoS vectors against PKI-enabled > > routing elements, the potential for enumeration of routing elements, and th > e > > possibility of building a true 'Internet kill switch' with effects far > > beyond what various governmental bodies have managed to do so far in the DN > S > > space. Yes, there are trade offs. As for that "Internet kill switch", ISP could theoretically be ordered to block all traffic to a prefix. I know that this is theoretically possible today with Australian legistation and basically has been since the very begining as it is in the telecomunication acts. > > Once governments figured out what the DNS was, they started to use it as a > > ban-hammer - what happens in a PKIed routing system once they figure out > > what BGP is? > > > > But nobody seems to be discussing these potential drawbacks, very much. > > Start here: > https://www.cs.bu.edu/~goldbe/papers/hotRPKI_full.pdf > > Dale -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org