On 29/07/2011, at 8:21 AM, Roque Gagliano wrote: >> I think Roque's suggestion of an EKU to mark an EE cert as being associated >> with a route server is helpful here. Yes, this is a self-assertion, and >> thus not authoritative. >> But, it could be a convenient mechanism to assist in configuration for >> checking when it's OK to receive an update with a 0 pCNT value. >> Specifically, if we agree that an ISP knows when a configured peer is an RS, >> then we can mandate that an ISP check to make sure that an update received >> from a peer with a 0 pCNT is, in fact, coming from what it believes is an >> RS. Having a marker in a cert that says "HI, I'm an RS" at least makes this >> intent clear. (One also could imagine that, since IXPs are well known and >> the route servers at IXPs are known, a third party could scan the RPKI >> looking for certs that claim to be associated with RSes, and checking to see >> if they appear to be legit.) > > About this last statement, the RIRs keep a list of IP Addresses for the IXPs, > we could ask them to sign that list and include their ASN to increase the > "confidence" that they really are RS. This could be checked by the validator. >
I am not sure that the RIRs really are appropriate reference points as to the _purpose_ to which ASes are put to use from day to day, and much the same applies to the purpose of the use of IP addresses in routing. I suggest that if would be perhaps better to look elsewhere and even to examine the validity of the assumed need for the injection of additional mechanisms of confidence into what I would phrase as a "policy conformance" issue rather than a "detection of lying in routing" issue. Geoff _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
