Randy Bush wrote:
if we are lucky, this time next year, you will be able to verify an X.509 certificate chain with rfc 3779 resource extensions, and have significant confidence in rights to address and asn resources. As I can understand, I can verify origin of prefix, prefix itself, but it can't authorize is that certain as-path legitimate or not. Like I can figure it out from routing registry DB. Isn't it?
the current work will provide a formally verifiable demonstration of ownership of address space.
to achieve your goal _formally_ will require something like sbgp.
the irr is an informal way to kinda achieve what you want. and we use it today.
one first useful step for an isp is to use the x.509 data to verify ownership assertions in the irr when building filter lists, for example.
I just think (if I correct understood that, sorry but this RFC is not easy reading) small enhancement of this will give us the large improvement: we can do filtering of unauthorized announcements (announcements of right prefix originated with right AS but from wrong place)! -- WBR, Max Tulyev (MT6561-RIPE, 2:463/253@FIDO)