Sean Donelan wrote:
On Mon, 23 Apr 2007, Chris L. Morrow wrote:
I think the strawman proposals so far were something like:
1) iana has 'root' ca-cert 2) iana signs down certs for RIR's 3) RIR's sign down certs for LIR's 4) LIR's sign down certs for 'users' (where 'users' is probably address-space users, like corporations or end-sites)
This seemed not-too-insane, and would give ISP/operator type folks that ability to easily and quickly verify that:
157.242.0.0/16 is in point of fact permitted to originate by the org-id: LMU-1
with some level of authority... It's nothing really more than that.
You can do online or offline verification of a trust chain. RSA, certs, etc are just the math. But the math doesn't change the trust. If the LIR/RIR directories are poorly maintained, their signatures aren't going to be any better.
IMHO ISP's that are not maintaining their entries correctly should not have a place on the Internet. In IPv6 one can see it quite well actually, when one has route6 entries the prefix has more of a chance of piercing through filters than when it has none. Adding a signature to this chain of checks and enforcing BGP announcements to be signed would definitely weed out a lot of bad ISP's who can't care less as they suddenly start loosing connectivity. Do also note that, like DNS roots, anybody can setup their private signing authority and provide certs to their buddy ISP's in a similar manner.
The problem in your trust chain above is the LIR's don't actually verify much about the 'users'; and its very easy to spoof the LIRs (i.e. I forgot my password) to change their directory information. And the same thing will probably be true when you ask LIRs to sign things. I lost my RSA cert, please sign a new one for "me".
This is also more about who is responsible for the address. Not who actually uses the address space. With hacked computers and botnets and the likes that is an unknown anyway. But when the responsible organization crosses the line a couple of times, it is easy to see where the bad ones really are.
An online chain of RWHOIS delegations or a offline chain of RSA certificates (which you will still need an online CRL check), doesn't change the problems in the LIRs (or even RIRs or IANA). A lot of math won't make the answer more authoritative.
What is the problem here then? You simply mark the LIR as untrustworthy when they peep up a number of times and as more and more ISP's do that they silently disappear from the Internet, at least the one where the 'trusted' ISP's are in. This is the same as de-peering ones who are not being nice to you, but now you at least know it is them being bad and not somebody just hijacking them. It's just a little step up from what already gets done. With every verification mechanism that involves trust and signing there usually is also a need for a white and a blacklist, you can manage these yourself or you can let some 3rd party do it, like what is done with many of the spam cases. Greets, Jeroen