Speaking as a regular ol' member
On Wed, 10 Aug 2011, Montgomery, Douglas wrote:
On 8/9/11 9:42 PM, "George Michaelson" <[email protected]> wrote:
On 10/08/2011, at 11:34 AM, Danny McPherson wrote:
On Aug 9, 2011, at 9:23 PM, George Michaelson wrote:
<snip>
I think it important to remember that BGPSEC and Origin Validation are
basically preventative, not reactionary/response mechanisms. That is
infrastructure that is manipulated in human time scales (e.g., ROAs,
AS/router Certs) that prevent future false announcements. I think it is
the assumption that having ROAs in place will address most pop-up spam
false announcements.
I agree that the RPKI is an infrastructure whose contents change in human
time scales, with the examples you mention. But the bgpsec protocol
operates in-line and at bgp time scales. (Whether that is human scale or
not, I'll leave to the operators.)
Certainly ROAs would make the pop-up spammers work harder, but I don't
know that ROAs could be said to address them completely. Danny has pointed
out many times that origin validation does not prevent a bad actor from
attaching the valid origin to a bogus path. That was a motivation for
doing path validation. I would think pop-up spammers might be determined
enough to go to the effort of doing the attach-valid-to-bogus step. They
seem to be determined enough to take steps to thwart any other measure
thrown in their path.
--Sandy
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
