Home page logo
/

nanog logo nanog mailing list archives

Re: route ingress
From: Vadim Antonov <avg () pluris com>
Date: Wed, 7 Jan 1998 03:33:27 -0800 (PST)

The issue here is people deliberately injecting bogus routing information.
Any "chain of trust" systems break down if there's somebody abusing the
trust.  This means that tier-1 ISPs shouldn't trust routing information
coming from tier-2 ISPs, etc.  That leaves the only workable option -
cryptographical authentication of routes, by the presense of signature
by a trusted address space registry.

--vadim

Date: Wed, 7 Jan 1998 12:39:26 +0300 (MSK)
From: "Alex P. Rudnev" <alex () Relcom EU net>
To: Vadim Antonov <avg () pluris com>

I am sorry, but what for do you want it? Why is not efficient to use AS 
identification in conjuction to IP prefix filtering at the 1't level ISPs 
(and may be 2'nd level too), based on the NIC data base.

On Tue, 6 Jan 1998, Vadim Antonov wrote:

Date: Tue, 06 Jan 1998 13:23:47 -0800
From: Vadim Antonov <avg () pluris com>
To: "Sean M. Doran" <smd () clock org>, nanog () merit edu
Subject: Re: route ingress

Sean M. Doran wrote:

Vadim Antonov ?avg () pluris com? writes:

? The only real solution is strong cryptographical authentication of
? the ownership of routing prefixes.   For some reason i do not see
? any serious work in that direction being done.

This would be much easier if we had a bottom-up
hierarchical addressing structure rather than the
current top-down one.

I quite agree with that (though i'm not convinced that "bottom->top"
allocation combined with recursive NATting is the best architecture).

However, this does not preclude doing authentication with the current
routing system.

--vadim


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]