On Tue, 4 Mar 2008, Vishwas Manral wrote:
> Hi Joe, > > If you saw the mail exchange between Sandra and I, you will notice she > mentioned the reason they have to go ahead with SIDR even though we > have tools available from RIPE. What I have been trying to do is to > figure out weaknesses. in the current infrastructure to get a secure > behavior. As a first step I found out this weakness and updated RIPE/ > Daniel about the same. Please keep in mind that RIPE is not the only IRR. And RIPE can not verify authorization for prefixes and ASs outside its range. So improving RIPE does not buy you what you want. > > As we discussed earlier SIDR does not provide a totally secure > infrastructure. The point here is that SIDR is giving some very basic > improvements in the security, generally in the non-malicious case. Please keep in mind that I have said SIDR does most definitely protect against malicious attacks for those attacks it is addressing. SIDR makes no difference between maliciousness or carelessness in the attacks it counters. There are plenty of malicious and accidental ways to attack routers that are not in the realm of what SIDR is considering now. Maliciousness is not the distinguisher here. To be plain, to say SIDR addresses only non-malicious cases is flat out WRONG. (And sorry for not having pointed that out before, I thought I did.) > The > idea is can we get a similar security with the current infrastructure, > by doing minor improvements. There is a certain cost involved with the > SIDR infrastructure. No, we cannot get similar security with current infrastructure, even with MAJOR improvements to the security of the current infrastructure. The structure of the current infrastructure does not permit similar security to what the RPKI provides. Unless, of course, you want to add all RPKI features to the IRR model, so that the IRR becomes the same as the RPKI. Of course, you adopt the cost as well. --Sandy > > I do not think the SSL channel has not been done because it is > unnecessary. I guess there hasn't been an attack on that side of the > infrastructure yet, but these are well known issues/ attacks in other > fields. > > Thanks, > Vishwas > <snip> _______________________________________________ Sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
