[88281] in North American Network Operators' Group
Re: So -- what did happen to Panix?
daemon@ATHENA.MIT.EDU (Joe Abley)
Fri Jan 27 10:42:46 2006
In-Reply-To: <20060127125140.GB19165@vacation.karoshi.com.>
Cc: Randy Bush <randy@psg.com>, Jared Mauch <jared@puck.nether.net>,
nanog@nanog.org
From: Joe Abley <jabley@isc.org>
Date: Fri, 27 Jan 2006 10:42:11 -0500
To: bmanning@vacation.karoshi.com
Errors-To: owner-nanog@merit.edu
On 27-Jan-2006, at 07:51, bmanning@vacation.karoshi.com wrote:
> perhaps you mean certified validation of prefix origin
> and path.
In the absense of path valdiation, a method of determining the real
origin of a prefix is also required, if the goal is to prevent
intentional hijacking as well as unintentional origination. Simply
looking at the right-most entry in the AS_PATH doesn't cut it, since
anybody can "set as-path prepend P".
This suggests to me that either we can't separate origin validation
from path validation (which sucks the former into the more difficult
problems associated with the latter), or we need a better measure of
"origin" (e.g. a PKI and an attribute which carries a signature).
Joe
