At 12:34 AM -0500 3/6/08, Curtis Villamizar wrote:
I...
Sandy,
Would you please enumerate those things that the IRR model does not
support after reading RFC2725 and RFC2769.
Note that RFC2769 has not been implemented but would provide the
missing functionality (ability to authenticate information held in
other registries). It also provides efficient replication of
databases so anyone can have a local copy of any database of interest
to improve query time.
I am not advocating going in that direction, simply pointing out that
SIDR to a large extent reinvents the wheel. If anything I think SIDR
not implementing the full RPSL semantics is deficient.
Curtis
Curtis,
My impression was that 2769 does not address the same set of concerns
that the RPKI work is addressing.
The RPKI provides a strong, cert-based link between the resource
allocation hierarchy and signed objects that attest to resource
holdings. The use of ROAs and analogous signed objects (verifiable
under the RPKI) enable resource holders to make clearly defined
assertions about resources, e.g, the authorization of an AS to
originate a route to a prefix. These assertions can be verified
without worrying about the integrity of the management of an IRR,
e.g., the path via which the object was obtained.
2769 seems to focus on authorization to manage objects in the IRR, a
very important but distinct concern. The integrity model seems to
emphasize transitive trust (e.g., tracing data integrity back to an
authoritative directory), and authorization of manage an object. This
is different from the use of signed objects that can be verified
through use of an authoritative PKI. (I note that the term PKI does
not appear anywhere in the RFC, and the term certificate (or cert)
appears only a few times. There are references to use of PGP keys for
authenticating a user who wants to manage objects, but that is a very
different use of public key crypto.)
It is appropriate to examine the intersection of the IRR/RPSL model
and the SIDR work to see how the two can fit together, but I disagree
with the suggestion that SIDR "reinvents the wheel." SIDR adopts a
different initial focus, i.e., defining a profile for certs that
represent resource holdings. As we move to introduce additional
signed objects, e.g. ROAs and BOAs, then we get closer to some of
the functionality of RPSL.
Steve
_______________________________________________
Sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
