Hi all,
I made a comment during the wg meeting in Prague in response to a
question from the floor (I forget who asked the question; someone
from Easynet, I think). Sandy and Steve asked me to repeat it on the
list.
The problem at the time, if I remember correctly, was one of context.
For many operators in the RIPE region, there is established practice
for building filters automatically for use as import filters on BGP
sessions which is common to many operators. In that context, the SIDR
approach as described in the face-to-face meeting is perplexing. It
may well be that the documents could benefit from some accommodation
of this context in the interests of rapid comprehension by operators
in that region (operators who, I think, have shown the most interest
in applying import filters to peers and customers).
The RPSL repository operated by the RIPE NCC (the "RIPE database") on
behalf of RIPE members (and others) incorporates a feature which I
believe is not available in corresponding services offered by other
RIRs. The assignment/allocation data from the RIR (in the form of
RPSL inetnum, aut-num, etc objects) is linked for the purposes of
authentication with routing data (e.g. route, route6, etc objects).
This linkage is provided by RPSS (Routing Policy System Security).
RPSS is documented in RFC 2725, but I do not know how accurate that
document is with respect to the code which is actually running today
in Amsterdam.
In broad terms (and apologies to those who know the details of this,
and who are now cringing) it is not possible to register a route
object in the RIPE database if you are not authorised to manipulate
the corresponding (covering) inetnum object. This means that the
presence of a route object with a particular origin attribute implies
reasonable confidence that the AS specified in the origin is
authorised to originate the route in question.
[The big hole in this trust dynamic is that for addresses assigned by
other RIRs, no such linkage exists; in practice anybody can install
route objects for addresses they have no business announcing in the
RIPE database so long as those route objects don't already exist, and
so long as the addresses concerned are not taken from one of the RIPE
NCC's pools.]
The key point is that it is possible to build a prefix filter based
on policy expressed in an aut-num or as-set RPSL object using the
RIPE database and have a reasonable degree of confidence that the
resulting prefix filter is probably a reasonable one, at least if the
peers you mainly deal with are European, and acquired their addresses
from the RIPE NCC.
For an operator in Europe who mainly deals with other European
networks, it may well appear that confidence in the origination of a
particular route from a particular AS is a problem which is largely
solved. In this context, the need for the X.509 approach developed in
this working group seems unclear, and the practical process by which
a prefix filter could be constructed with reference to a certificate
chain is non-obvious.
For operators elsewhere there is no such context, and the idea of a
solution to the problem "how do I trust this new customer when he
says he is allowed to announce route X through me" that doesn't
involve photoshopped letterheads and fax machines is no doubt much
more obviously attractive.
Joe
_______________________________________________
Sidr mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/sidr
