[81021] in North American Network Operators' Group
Re: soBGP deployment
daemon@ATHENA.MIT.EDU (Jeroen Massar)
Mon May 23 14:16:08 2005
From: Jeroen Massar <jeroen@unfix.org>
To: Daniel Golding <dgolding@burtongroup.com>
Cc: nanog@nanog.org
In-Reply-To: <BEB7926C.BD59%dgolding@burtongroup.com>
Date: Mon, 23 May 2005 20:15:15 +0200
Errors-To: owner-nanog@merit.edu
--=-mUmAeAoS7sB88Cwih4zw
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
On Mon, 2005-05-23 at 14:00 -0400, Daniel Golding wrote:
>=20
> I suspect the right thing to do is to ask why soBGP and sBGP have failed?
>=20
> And yes, they've failed. Just like DNSSec, we aren't seeing even limited
> adoption. Why? Too complex, too many moving parts, too much reliance on i=
ffy
> third parties and requires mass adoption.
>=20
> I suggest that the community finds something that gives us most of what w=
e
> want, is simple to understand, and can be implemented in a piece-wise
> fashion. Look at SPF - not perfect, but certainly useful. It is simple, e=
asy
> to implement, and IS being implemented.
<sidetrack>
SPF gets implemented by a few. I won't implement it simply because it
will break my mailsetup because the mechanism format does not allow
optional mechanisms to be defined eg, if I would use in DNS:
"v=3Dspf1 ip6:2001:db8::/48 -all"
Any host which implements SPF checks but does not know how to do ip6
checks, even though the message went 100% through an IPv6 only path will
drop the mail in the trashcan, even though the mail is 100% legit.
But this is a non-issue of course as everybody uses IPv6 only... just
like nobody uses DNSSec and other cool toys.
</sidetrack>
<SNIP>
> Why not do something simple? The in-addr.arpa reverse delegation tree is
> pretty accurate. We use it for lots of different things. Why not just giv=
e
> IP address blocks a new RR (or use a TXT record) to identify ASN? This
> solves the biggest problem we have right now, which is stealing of addres=
s
> blocks. It requires little processor overhead, and only a few additional =
DNS
> lookups. Its reasonably foolproof.
<sarcastic smiling comment> But you are the fool here </sa....>
So your router boots and receives a prefix and then you are going to
check using the just received prefix if it is legit to be sent from that
ASN, remember that it was just faked :) Or do it before you get it and
thus don't have a route...
L3 on L3 dependencies don't work unfortunately.
I am really glad the IETF has a lot of people who catch above things
quite easily because of expertise and experience.
Btw "pretty accurate" is not good enough unfortunately...
Greets,
Jeroen
--=-mUmAeAoS7sB88Cwih4zw
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Jeroen Massar / http://unfix.org/~jeroen/
iD8DBQBCkh2zKaooUjM+fCMRAm7gAJwOzRk6vTeDJdCoy2nhmfqErRm9RQCeOkmN
NglZAkEKdbdXRksqhpJTJY4=
=tAA5
-----END PGP SIGNATURE-----
--=-mUmAeAoS7sB88Cwih4zw--
