On (2012-04-27 22:05 +0000), Paul Vixie wrote:
this seems late, compared to the various commitments made to rpki in recent years. is anybody taking it seriously?
(disclaimer I'm almost completely clueless on RPKI). If two fails don't make win, then I think ROVER is better solution, doesn't need any changes to BGP just little software magic when accepting routes. People might scared to rely on DNS on accepting routes, but is this really an issue? I'd anyhow prefer to run verification in 'relaxed' mode, where routes which fail authorization are logged but accepted if there wasn't pre-existing covering route. Only drop routes if they fail authorization _AND_ there is pre-existing covering route. Maybe after several more years of experience and working out kinks, I could dare to try to run verification in 'strict' more. But 'relaxed' more already would stop the real-life problems we've seen of route-hijackings. I don't care much about unannounced net used for spamming really. Nick Hilliard mentioned in other forum to me bootstrapping problem. DNS would then be inherently part of your NMS, so install DNS in your NMS, and NMS already exists in IGP. So infra for verification should be up, before BGP is up. -- ++ytti