On Sat, 2005-05-21 at 16:03 -0400, Steven M. Bellovin wrote:
Look at it this way: do you think that (a) most sites will publish their policies in the registry, and (b) they'll remember to update them? As Randy has noted, we have a decade of experience suggesting that neither is true.
There's a very simple reason why registries have not been kept up to date over the past decade -- many operators do not use them for generating their policy configurations. Given this situation, it's difficult to draw any conclusions from the last decade. If you look back to the NSFNet days (prior to a decade ago) and the PRDB (Policy Routing Database), you might very well draw a different conclusion. The PRDB was kept up to date because a database entry was required to transit the NSFNet. This is not to imply that registries should play anything more than an interim role. Nonetheless, there would seem to be opportunities to improve current operational practices until more secure solutions are deployed. -Larry Blunk Merit