|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical BGP Security and PKI Hierarchies (was: Re: Wifi Security)
Oh, I am quite aware of the BGP RP-Sec work and many people have heard my opinion on this topic, including some on this mailing list. But I'll re-iterate. Hierarchical relationships breed "reptiles" because of the inherent asymmetric business relationship that results. The "leaves" *must* do business with the root, but the root does *not* have to do business with the "leaves." This results in the root calling the shots, for its own benefit and profit. Frankly, I am quite impressed with the address registries. For the most part they are the exception. I believe this is because they are still run by or heavily influenced by the "wide eyed academics" (as I have been accused of being) who believe in the Internet Dream... (you know who you are!). However there is also a "check and balance" in that if the registries become unreasonable, people will think about ignoring them, and they have to know this, if not explicitly, implicitly. However, I fear creating yet another hierarchy which must work for the Internet to work. One based on a PKI would not have to be reasonable, as the "leaves" would have a harder time ignoring it. Piss off the hierarchy, and forget about being routed. I would much prefer an arrangement where the PKI for BGP was controlled by the providers. So an institution would have its "certificate" signed by its upstream (or one of its upstream) providers. In such a transaction the balance of power is much more symmetric and therefore likely to be reasonable. The providers could cross-certificate to build a "root free" (as in "default free" zone) mesh (aka "Web of Trust."). -Jeff Blaine Christian wrote: > Jeff you hit a hot button <grin>... You would love the BGP RP-Sec > stuff going on at IETF etc... > > I "think" root authority for live routing protocols is out of the > picture. However, you may want to stay tuned and speak up if you feel > a root authority for routing protocols is bad. > > Regards, > > Blaine > > > -- ============================================================================= Jeffrey I. Schiller MIT Network Manager Information Services and Technology Massachusetts Institute of Technology 77 Massachusetts Avenue Room W92-190 Cambridge, MA 02139-4307 617.253.0161 - Voice [email protected] ============================================================================
|