Hi Sandra, You are right RIPE is not the only IRR. The reason I brought up RIPE is because it was mentioned that RIPE provides more secure services. If it is a good model, I would wonder why other IRR cannot do the same.
> To be plain, to say SIDR addresses only non-malicious cases is flat out > WRONG. (And sorry for not having pointed that out before, I thought I > did.) Sandra, yes you mentioned it clearly in your mail. Let me put an analogy for the same and let me know if our differences of opinions match, We have 4 glasses on a window and one of them has been made fully bulletproof at a big expense. The point you raise is it protects when you hit against the glass that has been made bulletproof. The point I bring out is that if at a cheaper cost we can harden the glasses it may be a better option. That is what I mean by non-malicious intent. I guess that is the difference of opinion we have. Thanks, Vishwas On Tue, Mar 4, 2008 at 8:34 AM, Sandra Murphy <[EMAIL PROTECTED]> wrote: > > > On Tue, 4 Mar 2008, Vishwas Manral wrote: > > > Hi Joe, > > > > If you saw the mail exchange between Sandra and I, you will notice she > > mentioned the reason they have to go ahead with SIDR even though we > > have tools available from RIPE. What I have been trying to do is to > > figure out weaknesses. in the current infrastructure to get a secure > > behavior. As a first step I found out this weakness and updated RIPE/ > > Daniel about the same. > > Please keep in mind that RIPE is not the only IRR. And RIPE can not > verify authorization for prefixes and ASs outside its range. So improving > RIPE does not buy you what you want. > > > > > > > As we discussed earlier SIDR does not provide a totally secure > > infrastructure. The point here is that SIDR is giving some very basic > > improvements in the security, generally in the non-malicious case. > > Please keep in mind that I have said SIDR does most definitely protect > against malicious attacks for those attacks it is addressing. > > SIDR makes no difference between maliciousness or carelessness in the > attacks it counters. > > There are plenty of malicious and accidental ways to attack routers that > are not in the realm of what SIDR is considering now. Maliciousness is > not the distinguisher here. > > To be plain, to say SIDR addresses only non-malicious cases is flat out > WRONG. (And sorry for not having pointed that out before, I thought I > did.) > > > > > The > > idea is can we get a similar security with the current infrastructure, > > by doing minor improvements. There is a certain cost involved with the > > SIDR infrastructure. > > No, we cannot get similar security with current infrastructure, even with > MAJOR improvements to the security of the current infrastructure. The > structure of the current infrastructure does not permit similar security > to what the RPKI provides. > > Unless, of course, you want to add all RPKI features to the IRR model, so > that the IRR becomes the same as the RPKI. Of course, you adopt the cost > as well. > > --Sandy > > > > > > I do not think the SSL channel has not been done because it is > > unnecessary. I guess there hasn't been an attack on that side of the > > infrastructure yet, but these are well known issues/ attacks in other > > fields. > > > > Thanks, > > Vishwas > > > > <snip> > _______________________________________________ Sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
