[81023] in North American Network Operators' Group
Re: soBGP deployment
daemon@ATHENA.MIT.EDU (Edward Lewis)
Mon May 23 14:34:18 2005
In-Reply-To: <BEB7926C.BD59%dgolding@burtongroup.com>
Date: Mon, 23 May 2005 14:33:32 -0400
To: Daniel Golding <dgolding@burtongroup.com>
From: Edward Lewis <Ed.Lewis@neustar.biz>
Cc: <bmanning@vacation.karoshi.com>, <nanog@nanog.org>
Errors-To: owner-nanog@merit.edu
At 14:00 -0400 5/23/05, Daniel Golding wrote:
My reply is mostly tongue-in-cheek. I think it's always healthy to
explore alternatives.
>Why not do something simple? The in-addr.arpa reverse delegation tree is
>pretty accurate. We use it for lots of different things. Why not just give
>IP address blocks a new RR (or use a TXT record) to identify ASN? This
>solves the biggest problem we have right now, which is stealing of address
>blocks. It requires little processor overhead, and only a few additional DNS
>lookups. Its reasonably foolproof.
I'll ignore that you said "(or use a TXT record)". ;)
Without DNSSEC, what does this buy? "Secure" information on a
non-secure channel.
If, by "stealing addresses" you mean that the RIR records are
changed, then changing the name servers is trivial - changing to
servers that have the hijacker's preferred data (or none!).
>Why create reliance on more databases? The RIRs are iffy. We rely on DNS
>right now. Why not keep relying on it? This solution doesn't solve all of
>our problems, but it does help, its easy, and people will implement it.
Who populates the DNS (well, the .arpa domain)? The RIRs do.
>Ok, please start flaming now :)
Brave to make such a request on a Monday afternoon.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
If you knew what I was thinking, you'd understand what I was saying.
