Verifying route origins and ownership (Was: ARIN Fraud Reporting Form ... Don't waste your time)
On 2010-10-01 17:04, Christopher Morrow wrote: [..] I think so far the models proposed in SIDR-wg include: o more than one cert tree (trust anchor) Why not in a similar vain as RBLs: white and black lists. One can then subscribe to the white black lists that one trust and give positive/negative points when an entry appears on one of those lists, based on the points that a prefix/asnpath combo gets it is either accepted, rejected or operator-warned. And the good one of course is that you can setup your own repository and give that out to your own systems or to other people's, then you just score your system above the other lists and presto you can overrule decisions which would be made otherwise. If you have multiple sources you trust, you are effectively just adding redundancy to your system, all problems solved. Works for spam, should also work for this. Greets, Jeroen
Re: Verifying route origins and ownership (Was: ARIN Fraud Reporting Form ... Don't waste your time)
On Fri, Oct 1, 2010 at 11:12 AM, Jeroen Massar jer...@unfix.org wrote: On 2010-10-01 17:04, Christopher Morrow wrote: [..] I think so far the models proposed in SIDR-wg include: o more than one cert tree (trust anchor) Why not in a similar vain as RBLs: white and black lists. I'm sure someone will think it's a fine plan to set up a TA and sign down ROA's that indicate 'badness' or 'invalid' or something similar. There's nothing stopping that, similarly today you COULD subscribe to a BGP feed of subnets of actually seen routes rewriting the next-hop to dsc0/Null0/honeypot... I don't think this sort of thing is in the SIDR-wg's charter though... much like RBL's are not in DNS-EXT's charter? -chris