[135405] in North American Network Operators' Group
Re: [arin-announce] ARIN Resource Certification Update
daemon@ATHENA.MIT.EDU (Roland Dobbins)
Mon Jan 24 21:12:09 2011
From: Roland Dobbins <rdobbins@arbor.net>
In-Reply-To: <BA751A64-E737-436E-B210-A3A4BBDB6E69@tcb.net>
Date: Tue, 25 Jan 2011 09:11:13 +0700
To: nanog group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 25, 2011, at 8:59 AM, Danny McPherson wrote:
> I just don't like the notion of deploying a brand new system with data =
that at the end of the day is going to look an awful lot like the =
existing in-addr.arpa delegation system that's deployed, and introduce =
new hierarchical shared dependencies that don't exist today.=20
Right - so, the macro point here is that in order to make use of rPKI so =
as to ensure the integrity of the global routing system, the =
presupposition is that there's already sufficient integrity in said =
routing global system for the rPKI tree to be successfully walked in the =
first place, given that it's all in-band, right?
And since it's all in-band, anyways, with the recursive dependencies =
that implies, why not make use of another, pre-existing inband =
hierarchical system which is explicitly designed to ensure the integrity =
of its answers, and which is already in the initial stages of its =
deployment - i.e., DNSSEC?
Note I'm not advocating this position, per se, just being sure I =
understand the argument for purposes of discussion.
------------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Most software today is very much like an Egyptian pyramid, with millions
of bricks piled on top of each other, with no structural integrity, but
just done by brute force and thousands of slaves.
-- Alan Kay
