On Feb 1, 2011, at 3:43 PM, Arturo Servin wrote:

>       Is it really a better alternative? Do we want to pay the cost of a 
> fully distributed RPKI architecture?
> 
>       Or do we just abandon the idea of protecting the routing infrastructure?
> 
>       There is no free-lunch, we just need to select the price that we want 
> to pay.
> 

I agree there is no free-lunch.

Randy Bush addressed the problem, in a recent email, by contrasting his 
"security" personality against his mistrust of authority. (That's my summary, 
not his words.)  And I think that's exactly what I'm struggling with.  I want 
to secure the routing infrastructure, but I don't completely trust centralized 
regimes.  At their best, they're a target for exploitation - at their worst, 
they're authoritarian.

Randy was kind enough to point me toward 
http://tools.ietf.org/html/draft-ietf-sidr-ltamgmt-00 which I'm in the process 
of reading.  Perhaps there is a way to balance between "fully distributed" and 
"centralized", e.g. by supporting multiple roots and different trust domains.

Cheers,
-Benson




> On 1 Feb 2011, at 16:29, Benson Schliesser wrote:
> 
>> 
>> On Feb 1, 2011, at 11:14 AM, Christopher Morrow wrote:
>> 
>>> On Sun, Jan 30, 2011 at 2:55 PM, Martin Millnert <milln...@gmail.com> wrote:
>>>> Here be dragons,
>>> <snip>
>>>> It should be fairly obvious, by most recently what's going on in
>>>> Egypt, why allowing a government to control the Internet is a Really
>>>> Bad Idea.
>>>> 
>>> 
>>> how is the egypt thing related to rPKI?
>>> How is the propsed rPKI work related to gov't control?
>> 
>> In theory at least, entities closer to the RPKI root (RIRs, IANA) could 
>> invalidate routes for any sort of policy reasons.  This might provide 
>> leverage to certain governments, perhaps even offering the ability to 
>> control routing beyond their jurisdiction.
>> 
>> As an example, it's imaginable that the US government could require IANA or 
>> ARIN to delegate authority to the NSA for a Canadian ISP's routes.  Feel 
>> free to replace the RIR/LIR and country names, to suit your own example.
>> 
>> Cheers,
>> -Benson
>> 
>> 
> 
> 


Reply via email to