Thus spake <bmanning@karoshi.com>
On Mon, Apr 23, 2007 at 05:23:03PM -0400, Sandy Murphy wrote:
You might try taking a look at the various presentations at NANOG/RIPE/ARIN/APNIC/APRICOT about the whole idea. Central point: the entity that gives you a suballocation of its own address space signs something that says you now hold it.
No governments involved.
no problemo... when i hand out a block of space, i'll expect my clients to hand me a DS record ... then I sign the DS. and I'll hand a DS to my parent, which they sign. That works a treat.... today (if you run current code) and gives you exactly what you describe above.
That roughly matches what I expect, but the process seems backwards. If IANA hands, say, 99/8 to ARIN, I'd expect that to come with a certificate saying so. Then, if ARIN hands 99.1/16 to an ISP, they'd hand a certificate saying so to the ISP, which could be linked somehow to ARIN's authority to issue certificates under 99/8. And so on down the line. Then, when the final holder advertises their 99.1.1/24 route via BGP, receivers would check that it was signed by a certificate that had a verifiable path all the way back to IANA. Of course, one must be prepared to accept unsigned routes since they'll be the majority for a long time, which means you still run afoul of the longest-match rule. If someone has a signed route for 99.1/16, and someone else has unsigned routes for one or more (or all) of 99.1.0/24 through 99.1.255/24, what do you do? Do you block an unsigned route from entering the FIB if there's a signed aggregate present? Doesn't that break common forms of TE and multihoming? If you don't, doesn't that defeat signing in general since hijackers would merely need to use longer routes than the real holders of the space? To paraphrase Barbie, "security is hard; let's go shopping!" S Stephen Sprunk "Those people who think they know everything CCIE #3723 are a great annoyance to those of us who do." K5SSS --Isaac Asimov