North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

BGP Security and PKI Hierarchies (was: Re: Wifi Security)

  • From: Jeffrey I. Schiller
  • Date: Tue Nov 22 01:31:38 2005
  • Openpgp: id=F414952B

Oh, I am quite aware of the BGP RP-Sec work and many people have heard
my opinion on this topic, including some on this mailing list. But I'll

Hierarchical relationships breed "reptiles" because of the inherent
asymmetric business relationship that results. The "leaves" *must* do
business with the root, but the root does *not* have to do business with
the "leaves." This results in the root calling the shots, for its own
benefit and profit.

Frankly, I am quite impressed with the address registries. For the most
part they are the exception. I believe this is because they are still
run by or heavily influenced by the "wide eyed academics" (as I have
been accused of being) who believe in the Internet Dream... (you know
who you are!). However there is also a "check and balance" in that if
the registries become unreasonable, people will think about ignoring
them, and they have to know this, if not explicitly, implicitly.

However, I fear creating yet another hierarchy which must work for the
Internet to work. One based on a PKI would not have to be reasonable, as
the "leaves" would have a harder time ignoring it. Piss off the
hierarchy, and forget about being routed.

I would much prefer an arrangement where the PKI for BGP was controlled
by the providers. So an institution would have its "certificate" signed
by its upstream (or one of its upstream) providers. In such a
transaction the balance of power is much more symmetric and therefore
likely to be reasonable.

The providers could cross-certificate to build a "root free" (as in
"default free" zone) mesh (aka "Web of Trust.").


Blaine Christian wrote:
> Jeff you hit a hot button <grin>...  You would love the BGP RP-Sec 
> stuff going on at IETF etc...
> I "think" root authority for live routing protocols is out of the 
> picture.  However, you may want to stay tuned and speak up if you  feel
> a root authority for routing protocols is bad.
> Regards,
> Blaine

Jeffrey I. Schiller
MIT Network Manager
Information Services and Technology
Massachusetts Institute of Technology
77 Massachusetts Avenue  Room W92-190
Cambridge, MA 02139-4307
617.253.0161 - Voice
[email protected]