Doug,

I was basing my comments on your statement "If only there were a global 
system.."  However you slice or dice it, the tyranny implications have not yet 
been addressed. That certainly needs to be in front of any technical idea such 
as RPKI.

Although I haven't participated in the OT&E, nothing I've read in RFC 6810 
talks about these issues. It talks about authentication and transport security, 
but doesn't talk about the potential for government interference.

 -mel beckman

On Sep 14, 2016, at 8:22 AM, Doug Montgomery 
<dougm.w...@gmail.com<mailto:dougm.w...@gmail.com>> wrote:

Mel,

If you are speaking of RPKI based origin validation, I am not sure "automated / 
global enforcement system" is a useful description.   It does provide a 
consistent means for address holders to declare AS's authorized to announce 
prefixes, and a means for remote ASs to compare received updates vs such 
declarations.   What the receiving AS does with the validation information is 
strictly a local policy matter.

Frankly, this is no more a "new automated enforcement system" than IRR-based 
route filtering has been for 20 years.  The only difference is that there is a 
consistent security model across all 5 RIRs as to who can make such 
declarations and it is tightly tied to the address allocation business process.

I have seen a lot of FUD about the specter of interference, but not a lot of 
serious thought / discussion.  Having a serious technical discussion of 
potential risks and mitigations in the system would be useful.

dougm

On Wed, Sep 14, 2016 at 10:51 AM, Mel Beckman 
<m...@beckman.org<mailto:m...@beckman.org>> wrote:
Scott and Doug,

The problem with a new automated enforcement system is that it hobbles both 
agility and innovation. ISPs have enjoyed simple BGP management, entirely 
self-regulated, for decades. A global enforcement system, besides being dang 
hard to do correctly, brings the specter of government interference, since such 
a system could be overtaken by government entities to manhandle free speech.

In my opinion, the community hasn't spent nearly enough time discussing the 
danger aspect. Being engineers, we focus on technical means, ignoring the fact 
that we're designing our own guillotine.

 -mel beckman

> On Sep 14, 2016, at 12:10 AM, Scott Weeks 
> <sur...@mauigateway.com<mailto:sur...@mauigateway.com>> wrote:
>
>
>
> --- dougm.w...@gmail.com<mailto:dougm.w...@gmail.com> wrote:
> From: Doug Montgomery <dougm.w...@gmail.com<mailto:dougm.w...@gmail.com>>
>
> If only there were a global system, with consistent and verifiable security
> properties, to permit address holders to declare the set of AS's authorized
> to announce their prefixes, and routers anywhere on the Internet to
> independently verify the corresponding validity of received announcements.
>
> *cough      https://www.nanog.org/meetings/abstract?id=2846     cough*
> ------------------------------------------------
>
>
> Yes, RPKI.  That's what I was waiting for.  Now we can get to
> a real discussion... ;-)
>
> scott



--
DougM at Work

Reply via email to