The same folks also followed up that workshop paper with a longer paper on the topic: https://www.cs.bu.edu/~goldbe/papers/sigRPKI.pdf
On Tue, Jun 2, 2015 at 8:16 AM Dale W. Carder <dwcar...@wisc.edu> wrote: > Thus spake Roland Dobbins (rdobb...@arbor.net) on Tue, Jun 02, 2015 at > 03:05:13PM +0700: > > > > On 2 Jun 2015, at 11:07, Mark Andrews wrote: > > > > >If you have secure BGP deployed then you could extend the authenication > > >to securely authenticate source addresses you emit and automate > > >BCP38 filter generation and then you wouldn't have to worry about > > >DNS, NTP, CHARGEN etc. reflecting spoofed traffic > > > > This can be and is done by networks which originate routes and which > > practice good network hygiene, no PKI required. > > > > But then we get into the customer of my customer (of my customer, of my > > customer . . .) problem, and this aren't quite so clear. > > > > There are also potentially significant drawbacks to incorporating PKI > into > > the routing space, including new potential DoS vectors against > PKI-enabled > > routing elements, the potential for enumeration of routing elements, and > the > > possibility of building a true 'Internet kill switch' with effects far > > beyond what various governmental bodies have managed to do so far in the > DNS > > space. > > > > Once governments figured out what the DNS was, they started to use it as > a > > ban-hammer - what happens in a PKIed routing system once they figure out > > what BGP is? > > > > But nobody seems to be discussing these potential drawbacks, very much. > > Start here: > https://www.cs.bu.edu/~goldbe/papers/hotRPKI_full.pdf > > Dale >
