[86959] in North American Network Operators' Group
Re: BGP Security and PKI Hierarchies
daemon@ATHENA.MIT.EDU (Florian Weimer)
Thu Nov 24 14:24:30 2005
From: Florian Weimer <fw@deneb.enyo.de>
To: Sandy Murphy <sandy@tislabs.com>
Cc: nanog@nanog.org
Date: Thu, 24 Nov 2005 20:23:57 +0100
In-Reply-To: <200511221850.jAMIo9aW019384@tislabs.com> (Sandy Murphy's message
of "Tue, 22 Nov 2005 13:50:09 -0500 (EST)")
Errors-To: owner-nanog@merit.edu
* Sandy Murphy:
> How would you feel about having the registries serve as the root of
> a hierarchical certificate system?
What about the swamp space?
>>So an institution would have its "certificate" signed
>>by its upstream (or one of its upstream) providers.
(Don't know where that quote comes from.)
Why is this significantly better than ISP filters which prevent bogus
announcements from reaching wide propagation?
I've seen bogus annoucements for which big ISPs have created
corresponding RADB entries. Wouldn't they just create certificates in
the new "secure BGP", and nothing is won?
