On Tue, 11 Mar 2008, Jeffrey Haas wrote: > On Tue, Mar 11, 2008 at 07:57:13AM -0600, Danny McPherson wrote: >> So, I'm sure suspect I'm missing something here, could folks >> please help me better understand both incremental deployment >> models and how the above isn't an issue? > > Multiple trust anchors and multiple ROAs. > > The current ROA model, presuming I'm not misinterpreting the PKI in the > drafts, only lets you trace your trust path up one chain. While it'd be > nice to trace the trust path to multiple trust anchors from a single > ROA, I suspect that the way these ROAs are built wouldn't permit this. > > See sec 2.4 of the architecture document.
So, instead of using just RIRs as trust anchors, you add every other ISP on the planet as a trust anchor as well (or at least tier1 ISPs and those tier2's which connect to tier1's that don't support RPKI)? Or are you proposing a model where other RIRs or some (currently non-existing from IP addressing perspecive) third parties would be doing additional ROA signing to get this single point of failure? -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings _______________________________________________ Sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
