Todd Underwood wrote:
seems to me that certified validation of prefix ownership and as
path are the only real way out of these problems that does not
teach us the 42 reasons we use a *dynamic* protocol.
certified validation of prefix ownership (and path, as has been
pointed out) would be great. it's clearly a laudable goal and seemed
like the right way to go. but right now, no one is doing it. the
rfcs that's i've found have all expired. and the conversation about
it has reached the point where people seem to have stopped even
disagreeing about how to do it. in short, it's as dead as dns-sec.
so what are we do do in the meantime?
(a) I'd hardly say dead - there's the sidr work starting up in the
IETF with vendor/operator/registry participation. And there was a
panel discussion at the last NANOG about government efforts to assemble
the right people (vendors/operators/registries/etc) to work on routing
infrastructure security - and prefix origination was one of the biggest
item on everyone's list of goals/hopes/longings/dreams.
(Truth in advertising: I've been one of those involved in the gov't
(b) dnssec isn't dead - there's serious work afoot to get it deployed.
Sweden and RIPE have signed their zones. There are web sites
that point to work going on, if you'd like to know more:
(Truth in advertising: I work with people who are working on this.)
(z) I think you mean internet drafts, not rfcs. I don't think
there have been any rfcs (would there were - we'd be in a different
situation), and rfcs don't expire.