[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RPSEC] Interior vs exterior?

To: rpsec@ietf.org
Subject: Re: [RPSEC] Interior vs exterior?
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Fri, 18 Oct 2002 14:19:10 -0400
In-reply-to: Your message of "Fri, 18 Oct 2002 12:03:37 +0200." <20021018115621.U2978-100000@sequoia.muada.com>
List-help: <mailto:rpsec-request@ietf.org?subject=help>
List-id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-post: <mailto:rpsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>,<mailto:rpsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>,<mailto:rpsec-request@ietf.org?subject=unsubscribe>
Sender: rpsec-admin@ietf.org

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Iljitsch" == Iljitsch van Beijnum <iljitsch@muada.com> writes:
    bmanning> the centralized nature of the IRR system is problematic.
    bmanning> an approach that was attempted to push the responsibility
    bmanning> out to the folks that hold the delegations.
    bmanning> see:  http://www.isi.edu/~bmanning/inet98.html
    bmanning> for a method that preserves the semantics of RPSL,
    bmanning> while ensuring that the end sites are responsible for
    bmanning> the accuracy of the information published.
    bmanning> This only works if we can secure the DNS tho... :)

    Iljitsch> I did a quick read, so I may have missed some things...

    Iljitsch> A few problems/questions:

    Iljitsch> - Currently, the RR does syntax checking. This has saved me a
    Iljitsch> number of times, and I'm sure there are many people that have
    Iljitsch> an even harder time getting this right than I do.

  There are two goals which are orthogonal:

  1) make the IRR more available, and provide integrity checking to it.
  2) make the end-sites responsible for content.

    Iljitsch> - Supposedly, the information would reside inside the network
    Iljitsch> advertising 
    Iljitsch>   a routing policy itself. What happens if this network is
    Iljitsch>   unreachable? 

  Same as what happens with other DNS info - you have to have secondaries.
We can even, initially, replicate the current IRR by having the RIRs
secondary all zones themselves.

    Iljitsch> - What about delays and inconsistencies that arise when new
    Iljitsch> delegations 
    Iljitsch>   must be created and/or information is changed but still
    Iljitsch>   cached in 
    Iljitsch>   certain places?

  Bill's paper points out that we currently live with 36+ hour delays in
the data.

  As for DNS vs "something else". We don't have a "something else" yet,
so let's just assume a "DNS-like" solution - one that supports secure
replication, authentication and online queries.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPbBQnIqHRg3pndX9AQEIkwP+LsUbHKkJ9QdFDRQRLjoiUwwnD2AoxkYS
J9tjjjccN2pHn3yM3QxOlvUQ/yHBPSpMSBYTw6cPpGVJnBRoKw0CpXuH/Puqu6i/
RYHUZ3C4b+ASPo2R4vkFX4DH8ADyQohCBMnwVaW0fnIl0VRicc8n4BWrtR+CSWP7
D3JRs1B8u70=
=CDCJ
-----END PGP SIGNATURE-----
_______________________________________________
RPSEC mailing list
RPSEC@ietf.org
https://www1.ietf.org/mailman/listinfo/rpsec

References:
- Re: [RPSEC] Interior vs exterior?
  - From: Iljitsch van Beijnum

Prev by Date: Re: [RPSEC] Interior vs exterior? (fwd)
Next by Date: Re: [RPSEC] Interior vs exterior?
Previous by thread: Re: [RPSEC] Interior vs exterior?
Next by thread: Re: [RPSEC] Interior vs exterior?
Index(es):
- Date
- Thread