I like the idea of people being able to START on the authentication datbase of ownership/announcement in a distributed fashion, but perhaps there are other ways (perhaps DNS-based) of getting there as well...
: My opinion is that lazy operational practices are the single biggest
Yes there are other ways and I suggest that the optimal choice of protocol for publishing this information is LDAP, not DNS. That's because there is no need for kludges to get the data that you need into LDAP since it supports a wide variety of data types. It can also be used in a hierarchical referral chain just like DNS. I am suggesting that the starting point here is to get ARIN to set up an LDAP server to authoritatively identify the leaseholder for all IP address space. Next step is to get ISPs to replace their creaking antiquated rwhois servers with LDAP servers. And then build up tools that use the data from the LDAP hierarchy to generate route filters, configure firewalls, manage SMTP filters, etc. If people want a PKI cert hierarchy, that data can go into the same servers. If people want to have secure BGP sessions they can have their network management system talking to the LDAP hierarchy to check certs and then tell their routers what to do. A router should never have to do any crypto itself. threat to
: the Internet.
One of the lazy operational practices is the proliferation of crudely hacked tools, often written in PERL which is like a swiss army knife made by tying together a knife, pliers, nailfile and screwdriver using dental floss and duct tape. There was a time when the net was growing too fast to plan and nobody had any experience or any benefit of hindsight. But times have changed and we now need to replace some of this rotting infrastructure with better general purpose tools that have some architectural planning behind them. Something like a Leatherman tool or a Victorinox swiss army knife. I believe that LDAP can be the core of this toolset. I also believe that we need to stop relying on the packet-forwarding box to do the entire job of routing and start using more auxiliary CPU power in a vendor independent way. There is plenty of experience in building rackmount Intel-based BSD/Linux servers that run as reliably as the routers themselves. Let these boxes do the job of authenticating and authorising route exchange and similar jobs. --Michael Dillon
On Mon, Mar 03, 2003 at 11:53:51AM +0000, Michael.Dillon@radianz.com <Michael.Dillon@radianz.com> wrote a message of 55 lines which said:
Yes there are other ways and I suggest that the optimal choice of protocol for publishing this information is LDAP, not DNS. ... Next step is to get ISPs to replace their creaking antiquated rwhois servers with LDAP servers.
Technically, this is reasonable, and I suggest that everybody who shares this view do some actual work in the IETF working group which is precisely devoted to the subject : Crisp <URL:http://www.ietf.org/html.charters/crisp-charter.html>. LDAP is one of the two actual proposals discussed at Crisp, the new IRIS protocol being the other. Do note that Crisp explicitely works also on address registries, not just domain registries.
I am suggesting that the starting point here is to get ARIN to set up an LDAP server to authoritatively identify the leaseholder for all IP address space.
I suggested the same to the RIPE-NCC some time ago. No real interest. I believe that the RIRs have enough work :-} They do not seem to participate in Crisp either :-(
I believe that LDAP can be the core of this toolset.
--Michael Dillon
Why not put everything into a MySQL db? :) LDAP is a fine tool but it was not designed to do some of the things that other tools do. We are not yet at the point where all we have the the LDAP hammer so everything looks like a db-nail. --bill
participants (3)
-
bmanning@karoshi.com -
Michael.Dillon@radianz.com -
Stephane Bortzmeyer