Re: [ripe-list] RPKI -> RSPL Objects
The point is: if you pull the RPKI stuff and build the RPLS stuff locally, you *know* that all data is trusted and hasn't been modified (because everything coming from extern is signed and can be validated).
if everybody had digested security 101, the internet might not be the dumpster fire it is today :) but this stuff is intuitive only if one has a twisted mind. so i blame myself for explaining inadequately. that part is tough too. randy
You should take this conversation to the folk at Google. They are pushing really hard for IRR objects. On 25 Apr 2019, at 16:01, Randy Bush wrote:
The point is: if you pull the RPKI stuff and build the RPLS stuff locally, you *know* that all data is trusted and hasn't been modified (because everything coming from extern is signed and can be validated).
if everybody had digested security 101, the internet might not be the dumpster fire it is today :)
but this stuff is intuitive only if one has a twisted mind. so i blame myself for explaining inadequately. that part is tough too.
randy
You should take this conversation to the folk at Google. They are pushing really hard for IRR objects.
i suspect the key person at goog reads this list, is very aware of the security models, etc. my poor second party understanding is that they want irr as well as rpki, real irr, not cross-generated, and intend to mash them together with other things to form their border trust. randy
This is exactly why we (lacnic) won’t spin up a new IRR. We’ll just provide the convenience of generating the RPSL, plus adding what appears to be the missing feature of AS-SETs On 25 Apr 2019, at 16:06, Randy Bush wrote:
my poor second party understanding is that they want irr as well as rpki, real irr, not cross-generated, and intend to mash them together with other things to form their border trust.
This is exactly why we (lacnic) won’t spin up a new IRR. We’ll just provide the convenience of generating the RPSL, plus adding what appears to be the missing feature of AS-SETs
my poor second party understanding is that they want irr as well as rpki, real irr, not cross-generated, and intend to mash them together with other things to form their border trust.
as-sets in the irr are cool; use ‘em daily. as-sets in the rpki (or whatever they are called this week), i still do not understand. what is the trust model? if someone is signing an as-set, with what do they sign it, and to what are they actually attesting? since one usually uses the transitive closure of an as-set, and that changes quite frequently, any attestation is bogus. randy
participants (2)
-
Carlos M. Martinez
-
Randy Bush