[152423] in North American Network Operators' Group
Re: rpki vs. secure dns?
daemon@ATHENA.MIT.EDU (Nick Hilliard)
Sat Apr 28 13:23:04 2012
X-Envelope-To: nanog@nanog.org
Date: Sat, 28 Apr 2012 18:22:15 +0100
From: Nick Hilliard <nick@foobar.org>
To: Alex Band <alexb@ripe.net>
In-Reply-To: <E81ED66C-EE27-42B0-866E-F2AD4FF0614B@ripe.net>
Cc: Paul Vixie <vixie@isc.org>, Florian Weimer <fw@deneb.enyo.de>,
"nanog@nanog.org list" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 28/04/2012 14:04, Alex Band wrote:
> they do not trust, or have a specific local policy for. In the toolsets
> for using the RPKI data set for routing decisions, such as the RIPE NCC
> RPKI Validator, every possible step is taken is taken to ensure that the
> operator is in the driver's seat.
Leaving aside technical matters, this is one of the more contentious
political issues with RPKI. RPKI is a tool which can be used to locally
influence routing decisions, but allows centralised control of prefix
authenticity. If this central point is influenced to invalidate a specific
prefix, then that will cause serious reachability problems for that prefix
on the Internet.
It will be difficult for politicians / legislators / LEAs to look at a
technology like this and not see its potential for implementing wide-area
Internet blocking. For sure, the LEAs currently looking at it are
extremely interested.
Nick
