I like the idea of people being able to START on the authentication
datbase of ownership/announcement in a distributed fashion, but
perhaps there are other ways (perhaps DNS-based) of getting there
as well...
Yes there are other ways and I suggest that the optimal choice of protocol
for publishing this information is LDAP, not DNS. That's because there is
no need for kludges to get the data that you need into LDAP since it
supports a wide variety of data types. It can also be used in a
hierarchical referral chain just like DNS.
I am suggesting that the starting point here is to get ARIN to set up an
LDAP server to authoritatively identify the leaseholder for all IP address
space.
Next step is to get ISPs to replace their creaking antiquated rwhois
servers with LDAP servers.
And then build up tools that use the data from the LDAP hierarchy to
generate route filters, configure firewalls, manage SMTP filters, etc.
If people want a PKI cert hierarchy, that data can go into the same
servers. If people want to have secure BGP sessions they can have their
network management system talking to the LDAP hierarchy to check certs and
then tell their routers what to do. A router should never have to do any
crypto itself.
: My opinion is that lazy operational practices are the single biggest
threat to
: the Internet.
One of the lazy operational practices is the proliferation of crudely
hacked tools, often written in PERL which is like a swiss army knife made
by tying together a knife, pliers, nailfile and screwdriver using dental
floss and duct tape. There was a time when the net was growing too fast to
plan and nobody had any experience or any benefit of hindsight. But times
have changed and we now need to replace some of this rotting
infrastructure with better general purpose tools that have some
architectural planning behind them. Something like a Leatherman tool or a
Victorinox swiss army knife.
I believe that LDAP can be the core of this toolset.
I also believe that we need to stop relying on the packet-forwarding box
to do the entire job of routing and start using more auxiliary CPU power
in a vendor independent way. There is plenty of experience in building
rackmount Intel-based BSD/Linux servers that run as reliably as the
routers themselves. Let these boxes do the job of authenticating and
authorising route exchange and similar jobs.
--Michael Dillon
