[111826] in North American Network Operators' Group
Re: Global Blackhole Service
daemon@ATHENA.MIT.EDU (Randy Bush)
Fri Feb 13 16:42:03 2009
Date: Sat, 14 Feb 2009 06:41:50 +0900
From: Randy Bush <randy@psg.com>
To: Florian Weimer <fw@deneb.enyo.de>
In-Reply-To: <87iqnecat7.fsf@mid.deneb.enyo.de>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
eventually, the rpki will give you the first half, authentication
of the owner of the ip space. this leaves, as smb hinted, securing
the request path from the black-hole requestor to the service and
of the service to the users.
smb:
> You can't do this without authoritative knowledge of exactly who
> owns any prefix; you also have to be able to authenticate the
> request to blackhole it. Those two points are *hard*.
randy
