On Feb 1, 2011, at 3:43 PM, Arturo Servin wrote: > Is it really a better alternative? Do we want to pay the cost of a > fully distributed RPKI architecture? > > Or do we just abandon the idea of protecting the routing infrastructure? > > There is no free-lunch, we just need to select the price that we want > to pay. >
I agree there is no free-lunch. Randy Bush addressed the problem, in a recent email, by contrasting his "security" personality against his mistrust of authority. (That's my summary, not his words.) And I think that's exactly what I'm struggling with. I want to secure the routing infrastructure, but I don't completely trust centralized regimes. At their best, they're a target for exploitation - at their worst, they're authoritarian. Randy was kind enough to point me toward http://tools.ietf.org/html/draft-ietf-sidr-ltamgmt-00 which I'm in the process of reading. Perhaps there is a way to balance between "fully distributed" and "centralized", e.g. by supporting multiple roots and different trust domains. Cheers, -Benson > On 1 Feb 2011, at 16:29, Benson Schliesser wrote: > >> >> On Feb 1, 2011, at 11:14 AM, Christopher Morrow wrote: >> >>> On Sun, Jan 30, 2011 at 2:55 PM, Martin Millnert <milln...@gmail.com> wrote: >>>> Here be dragons, >>> <snip> >>>> It should be fairly obvious, by most recently what's going on in >>>> Egypt, why allowing a government to control the Internet is a Really >>>> Bad Idea. >>>> >>> >>> how is the egypt thing related to rPKI? >>> How is the propsed rPKI work related to gov't control? >> >> In theory at least, entities closer to the RPKI root (RIRs, IANA) could >> invalidate routes for any sort of policy reasons. This might provide >> leverage to certain governments, perhaps even offering the ability to >> control routing beyond their jurisdiction. >> >> As an example, it's imaginable that the US government could require IANA or >> ARIN to delegate authority to the NSA for a Canadian ISP's routes. Feel >> free to replace the RIR/LIR and country names, to suit your own example. >> >> Cheers, >> -Benson >> >> > >