This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/address-policy-wg@ripe.net/
[address-policy-wg] 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) going to Last Call
- Previous message (by thread): [address-policy-wg] 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) going to Last Call
- Next message (by thread): [address-policy-wg] 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) going to Last Call
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
David Conrad
drc at virtualized.org
Tue May 3 18:38:46 CEST 2011
Sascha, On May 3, 2011, at 8:44 AM, Sascha Luck wrote: > There is no policy that determines that "everything longer than a /24 is not routable" either. If all your transits insist on rpki-signed advertisements, it becomes de-facto mandatory. Agreed. > The fundamental issue with this proposal is that it, like the block-lists that some governemnts dream of, establishes an infrastructure that is open to abuse. Everything that *can* be abused, no matter how well-intentioned it may have been, *will* be abused. And the last thing, in my opinion, that the DFZ needs is *another* attack vector. At an abstract level, RPKI merely provides a way of validating the contents of the address registration database(s) that is (more) amenable to automation than current systems. The implication of this is that it will give the signers of resources anywhere in the chain the ability to impose policy on those beneath them in the chain of trust. In theory, that power exists today, e.g., RIPE could revoke an allocation and remove it from the registration database, resulting in an implicit revocation of all addresses assigned with the address space that had been allocated. I'm not aware of any abuse of the current system. Is your concern that the new system will make abuse somehow easier? Regards, -drc
- Previous message (by thread): [address-policy-wg] 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) going to Last Call
- Next message (by thread): [address-policy-wg] 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) going to Last Call
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]