> By doing "converge first verify later", the router can be made cheaper.
I'm not certain I'd agree with this assessment... I'd guess you can make convergence faster this way, but the memory and other costs on the router are going to be the same. You could make it cheaper by moving specific things off the router and onto auxiliary boxes, but the point of inline authentication is _not_ to move anything onto boxes outside the router (or even onto line cards within the router) --this is the reason all overlay proposals were rejected up front. > However, there is still the cost of the RPKI and the cost of > running/maintaining it. > My guess is that will bury the cost of the routers. I would guess this, as well --and I would guess that the cost of the extra memory and processing to perform what BGPsec is asking for will never be buried. IMHO, there will always be a cost differential between a device capable of what BGPsec requires, and a device that's not capable. Security will always cost something, no matter how you slice it. The more "perfect" you try to make it, the more it will cost. SIDR seems to have started out with "let's engineer the most perfect security we can imagine," end of the stick --something most engineers (including myself) tend to do a lot. Russ _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
