Thus spake Roland Dobbins (rdobb...@arbor.net) on Tue, Jun 02, 2015 at 03:05:13PM +0700: > > On 2 Jun 2015, at 11:07, Mark Andrews wrote: > > >If you have secure BGP deployed then you could extend the authenication > >to securely authenticate source addresses you emit and automate > >BCP38 filter generation and then you wouldn't have to worry about > >DNS, NTP, CHARGEN etc. reflecting spoofed traffic > > This can be and is done by networks which originate routes and which > practice good network hygiene, no PKI required. > > But then we get into the customer of my customer (of my customer, of my > customer . . .) problem, and this aren't quite so clear. > > There are also potentially significant drawbacks to incorporating PKI into > the routing space, including new potential DoS vectors against PKI-enabled > routing elements, the potential for enumeration of routing elements, and the > possibility of building a true 'Internet kill switch' with effects far > beyond what various governmental bodies have managed to do so far in the DNS > space. > > Once governments figured out what the DNS was, they started to use it as a > ban-hammer - what happens in a PKIed routing system once they figure out > what BGP is? > > But nobody seems to be discussing these potential drawbacks, very much.
Start here: https://www.cs.bu.edu/~goldbe/papers/hotRPKI_full.pdf Dale
