Todd Underwood wrote:
seems to me that certified validation of prefix ownership and as path are the only real way out of these problems that does not teach us the 42 reasons we use a *dynamic* protocol.
certified validation of prefix ownership (and path, as has been pointed out) would be great. it's clearly a laudable goal and seemed like the right way to go. but right now, no one is doing it. the rfcs that's i've found have all expired. and the conversation about it has reached the point where people seem to have stopped even disagreeing about how to do it. in short, it's as dead as dns-sec. so what are we do do in the meantime?
(a) I'd hardly say dead - there's the sidr work starting up in the IETF with vendor/operator/registry participation. And there was a panel discussion at the last NANOG about government efforts to assemble the right people (vendors/operators/registries/etc) to work on routing infrastructure security - and prefix origination was one of the biggest item on everyone's list of goals/hopes/longings/dreams. (Truth in advertising: I've been one of those involved in the gov't sponsored workshops.) (b) dnssec isn't dead - there's serious work afoot to get it deployed. Sweden and RIPE have signed their zones. There are web sites that point to work going on, if you'd like to know more: www.dnssec-deployment.org www.dnssec.net (Truth in advertising: I work with people who are working on this.) (z) I think you mean internet drafts, not rfcs. I don't think there have been any rfcs (would there were - we'd be in a different situation), and rfcs don't expire. --Sandy