
-- You must not rely on routing to secure routing.
I would like to point out that this goal is unnecesary. First, we need to understand that for ANY solution to be deployable, it must be incrementally deployable. We do not get an Internet-wide flag day for BGP. The Internet must continue to function, regardless of the percentage of NLRI that are actually authenticated. For the forseeable future, we will need to have a path selection policy that rejects any information that clearly fails authentication, continues to use unauthenticated prefixes, and prefers authenticated vs. unauthenticated. Second, validating a certificate must be doable even if the router is using unauthenticated prefixes to do so. Remember that the crypto properties of a certificate must make it unforgeable, and that routers must have at least one reference point in the web of trust. If the route to the root of that web is spoofed, then the crypto will not be able to validate any other certificates in the web, but this is NOT an authentication failure -- the related NLRI are just unauthenticated, not unuseable. Obviously, authenticating the root certificate NLRI are our top priority, but the system MUST continue to operate even without this. This is the only way to truly address the chicken and egg problem. I think that this also highlights the need for multiple, diversely routed certificate authorities. Tony