Home page logo

nanog logo nanog mailing list archives

Re: So -- what did happen to Panix?
From: Joe Abley <jabley () isc org>
Date: Fri, 27 Jan 2006 10:42:11 -0500

On 27-Jan-2006, at 07:51, bmanning () vacation karoshi com wrote:

        perhaps you mean certified validation of prefix origin
        and path.

In the absense of path valdiation, a method of determining the real origin of a prefix is also required, if the goal is to prevent intentional hijacking as well as unintentional origination. Simply looking at the right-most entry in the AS_PATH doesn't cut it, since anybody can "set as-path prepend P".

This suggests to me that either we can't separate origin validation from path validation (which sucks the former into the more difficult problems associated with the latter), or we need a better measure of "origin" (e.g. a PKI and an attribute which carries a signature).


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]