[153385] in North American Network Operators' Group
Re: ROVER routing security - its not enumeration
daemon@ATHENA.MIT.EDU (Shane Amante)
Tue Jun 5 15:27:26 2012
From: Shane Amante <shane@castlepoint.net>
In-Reply-To: <B394E03B-B833-4824-9ED5-C84D2B35F8F7@cs.colostate.edu>
Date: Tue, 5 Jun 2012 13:26:32 -0600
To: North American Network Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
One correction below.
On Jun 5, 2012, at 12:42 PM, Daniel Massey wrote:
[--snip--]
> I think the first step is to step back and ask whether every =
operational model needs=20
> enumeration. For example, the talk yesterday by Level3 used the =
DNS and IRR=20
> did not need such an enumeration.
To clarify the above, the IRR _does_ provide an enumerated list of =
"Candidate" (IP prefix + Origin_AS) pairs. The second step is to walk =
through those "Candidate" pairs and ask DNSSEC, in question/answer =
process, to validate that the "Candidate" IRR (IP prefix, Origin_AS) =
pairs are authentic, or not. So, considering each step independently: =
the former (IRR data) is enumeration, the second is not. However, in =
the context of this specific operational model, the end result is an =
enumerated list of validated (IP Prefix, Origin_AS) pairs.
-shane=
