[ sorry cameron, trying to keep things down to one message ]
http://tech.slashdot.org/story/12/04/27/2039237/engineers-ponder-easier-fix-... http://www.itworld.com/security/272320/engineers-ponder-easier-fix-dangerous...
and don't miss http://www.theregister.co.uk/2012/04/23/ip_hijack_prevention/ free dinner at nanog/van for anyone who can explain how the dnssec approach meets the defcon attack. hint: it is a path attack, not an origin attack, and the dns pidgeon has no hooks to path attack prevention. at ripe, joe gersh asked me for an example of a path attack and i told him of the defcon demo. seems he also did not bother to do his homework. but it makes good pr. someone selling dnssec appliances flew a press release that a few reporters bought without doing their homework. end of net predicted, news at eleven.
Taking what seriously ? The commitments to rpki you speak off ?
a thousand LIRs in the ripe region, 500 elsewhere? cisco code shipping on a number of platforms, juniper soon. some of us have actually started validating route origins in the real network using rpki and cisco and juniper (test) code. ---- Saku Ytti <saku@ytti.fi> wrote:
If two fails don't make win, then I think ROVER is better solution, doesn't need any changes to BGP just little software magic when accepting routes.
you are right, you have not done your homework. rpki-based origin validation asks no changes to bgp.
People might scared to rely on DNS on accepting routes, but is this really an issue?
yes. rpki can also have that issue as the certs can have urls that use domain names. i believe they could use ip address urls instead. but the gathering operation differs greatly between the rpki and the dnssec based proposal. with the latter, you can't even tell you have the full set. ---- the worry in the ripe region and elsewhere is what i call the 'virginia court attack', also called the 'dutch court attack'. some rights holder claims their movie is being hosted in your datacenter and they get the RIR to jerk the attestation to your ownership of the prefix or your ROA. this problem is inherent in any system which uses the address allocation administrative hierarchy to attest to address space ownership, whether rpki, dns-based, or hollerith cards. i do not like it either. but it is a trade you make for security. and, at ripe ljubljana, i think alex started to discuss some schemes to ameliorate it. more later on this. ---- randy