Is there some way of deploying a solution like Secure BGP without
actually requiring that it go into the routers?
The IETF SIDR wg (shameless plug as I'm wg co-chair) is working on
a way to say with strong assurance who holds what prefixes, and
therefore who can authorize the origination of what
Which report did you read...
http://www.schneier.com/blog/archives/2007/04/dept_of_homelan.html
http://www.upi.com/Security_Terrorism/Analysis/2007/04/12/analysis_owning_the_keys_to_th
e_internet/
http://www.tiawood.com/2007/homeland-security-grabs-for-nets-master-keys/
All of which were about
/slides/conf/wednesday/Address%20Space%20PKI%20(APRICOT).pdf
Work ongoing in the IETF SIDR working group:
http://www.ietf.org/html.charters/sidr-charter.html
--Sandy Murphy
I am placing the module to test the
UPDATE message before the formation of Adj-RIB-out. So that the false /
malicious information wont go beyond my router
...
Would like to know ur views
about this approach.
I think all the various published approaches have this goal in mind,
so the approach
Regardless of what the legacy space users think, if the
RIRs decided to sign certificates for use in BGP route
for a small fee to recover costs, and if those legacy
space holders wish to make use of this new service (like
a new version of Windows) then they have to sign up and
pay the fees. The
Michael Dillon said:
The fees are not charged for past services that were
received for free, only for future services.
So you are saying that legacy space holder who signed a memberhsip
agreement would not owe the usual yearly fee associated with their
legacy space holdings but only those fees
Do you suppose that if a Microsoft salesman had given me a free copy
of Windows back in 1990, I would have a right to use any version of
Windows for free forever?
I don't think this analogy exactly fits. I'm pretty sure that the legacy
space holders think of this as: a Microsoft salesman had
the rir attests to the delegation of the prefix and an asn to the
identified isp.
the isp signs, using their isp identity to
o originating from the asn
o originating that prefix (in sbgp, toward another isp)
Looks to me like:
proof of allocation:
S(withRIRkey, Prefix_p_key, prefix_p)
in operation, this means that there could be isp- (or ufo-)centric
isp identity certification (a la web of trust, for example) which
could have a very separate cert chain from that of address space
allocation, which, aside from the legacy issue, could come via the
rirs.
So when one receives an
My issue is that if ISPs a) only announce networks that they know
(for different values of know - but hopefully based on some kind of
trust in the RIR's data) they are authorized to announce, and b) took
responsibility for the behavior of the paths or prefixes they
announce, and the bits that
Hierarchical relationships breed reptiles because of the inherent
asymmetric business relationship that results.
...
Frankly, I am quite impressed with the address registries.
How would you feel about having the registries serve as the root of
a hierarchical certificate system?
So an
Otherwise, you have to be storing a plethora of
different signers' certificates to be able to validate all the
institution's certificates that come in.
you need those certs to verify the live data anyway
Yes, the reason why you want to validate the institution's certificates
is so you can
12 matches
Mail list logo
