Thus spake Roland Dobbins (rdobbins@arbor.net) on Tue, Jun 02, 2015 at 03:05:
13PM +0700:
>
>
> >If you have secure BGP deployed then you could extend the authenication
> >to securely authenticate source addresses you emit and automate
> >BCP38 filter generation and then you wouldn't have to worry about
> >DNS, NTP, CHARGEN etc. reflecting spoofed traffic
>
> This can be and is done by networks which originate routes and which
> practice good network hygiene, no PKI required.
But it is a manual process or trust the information added to this
database is correct. Automating the process even if it is only at
the customer/isp edge were customer == isp is tagged as a exception
would be a big win.
> But then we get into the customer of my customer (of my customer, of my
> customer . . .) problem, and this aren't quite so clear.
>
> There are also potentially significant drawbacks to incorporating PKI into
> the routing space, including new potential DoS vectors against PKI-enabled
> routing elements, the potential for enumeration of routing elements, and th
e
> possibility of building a true 'Internet kill switch' with effects far
> beyond what various governmental bodies have managed to do so far in the DN
S
> space.
Yes, there are trade offs. As for that "Internet kill switch", ISP
could theoretically be ordered to block all traffic to a prefix.
I know that this is theoretically possible today with Australian
legistation and basically has been since the very begining as it
is in the telecomunication acts.