Vadim Antonov <avg@pluris.com> writes:
The only real solution is strong cryptographical authentication of the ownership of routing prefixes. For some reason i do not see any serious work in that direction being done.
This would be much easier if we had a bottom-up hierarchical addressing structure rather than the current top-down one. Consider the distribution of cryptographically authenticated connectivity maps a la NIMROD or a multi-level LS protocol, for example, for path authentication vs. how one would distribute and authenticate reachability information with the current addressing structure. Sean.
On 6 Jan 1998, Sean M. Doran wrote:
This would be much easier if we had a bottom-up hierarchical addressing structure rather than the current top-down one.
Consider the distribution of cryptographically authenticated connectivity maps a la NIMROD or a multi-level LS protocol, for example, for path authentication vs. how one would distribute and authenticate reachability information with the current addressing structure.
I don't understand how the current top-down allocation affects how that would be done. As I see it (and I haven't spent any significant time working on it, but it seems straightforward): 1) ARIN/whoever signs an address allocation to an entity 2) that entity signs route announcements to peers/upstreams, incuding who they are announced to 3) readvertisements are signed by the advertiser Any recipient of a route can verify that the address space was properly allocated by inspecting the address allocation certificate and verifying the signature of the registry, and they can verify the path that advertisement has taken to get to where it is. Thus no one can interject a route to a network prefix that is not properly allocated, and someone cannot steal a route advertisement for someone else's prefix. The biggest problem with something like this is the size of the routing table in memory (since you have to keep certificates around for readvertisements) and in the bandwidth required for the updates. I am not familiar with NIMROD, do you have a pointer to it? John Tamplin Traveller Information Services jat@Traveller.COM 2104 West Ferry Way 205/883-4233x7007 Huntsville, AL 35801
Sean M. Doran wrote:
Vadim Antonov ?avg@pluris.com? writes:
? The only real solution is strong cryptographical authentication of ? the ownership of routing prefixes. For some reason i do not see ? any serious work in that direction being done.
This would be much easier if we had a bottom-up hierarchical addressing structure rather than the current top-down one.
I quite agree with that (though i'm not convinced that "bottom->top" allocation combined with recursive NATting is the best architecture). However, this does not preclude doing authentication with the current routing system. --vadim
I am sorry, but what for do you want it? Why is not efficient to use AS identification in conjuction to IP prefix filtering at the 1't level ISPs (and may be 2'nd level too), based on the NIC data base. ?? On Tue, 6 Jan 1998, Vadim Antonov wrote:
Date: Tue, 06 Jan 1998 13:23:47 -0800 From: Vadim Antonov <avg@pluris.com> To: "Sean M. Doran" <smd@clock.org>, nanog@merit.edu Subject: Re: route ingress
Sean M. Doran wrote:
Vadim Antonov ?avg@pluris.com? writes:
? The only real solution is strong cryptographical authentication of ? the ownership of routing prefixes. For some reason i do not see ? any serious work in that direction being done.
This would be much easier if we had a bottom-up hierarchical addressing structure rather than the current top-down one.
I quite agree with that (though i'm not convinced that "bottom->top" allocation combined with recursive NATting is the best architecture).
However, this does not preclude doing authentication with the current routing system.
--vadim
Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
participants (4)
-
Alex P. Rudnev
-
John A. Tamplin
-
Sean M. Doran
-
Vadim Antonov