On Sun, Feb 14, 2010 at 4:54 AM, SM <sm@xxxxxxxxxxxx> wrote: > Hello, > At 02:55 12-02-10, IAB Chair wrote: >> >> IAB statement on the RPKI. >> >> = RPKI as a prerequisite for improving the security of the global >> routing system. > > It would be preposterous of me to disagree with the opinion of the learned > members of the IAB. I don't think that any member of the IAB would claim that their expertise in the PKI field precluded debate. This is not a technical issue, it is a political issue. IANA and ICANN have a really, really bad record when it comes to setting up root authorities. Any plan that requires their involvement is going to take considerably more time and effort than one where their involvement is optional. The substantive statements being issued in the PKI are going to consist of a RIR issuing an assertion of the form 'The holder of the key X has the authority to assign AS numbers to the IP address space Y through Z'. There are five RIRs, this number is not going to increase in the short term. Participation of the RIRs is critical for an authoritative system. Participation of ICANN is not. The risk of including ICANN is that misguided or not, there are lots of people who have concerns as to the power that the US exercises over the Internet through their defacto control of ICANN. One common concern is that the US could use such control to ensure that US ISPs were favored in the distribution of the remaining IPv4 blocks. The people who hold these views are not stupid, they just hold a completely different world view. A world view that is not going to be overturned by rational arguments based on the world view largely shared by the IAB. And some of those people hold positions of authority that can pretty much ensure that any ICANN sponsored root never happens. In the diplomatic world, you do not accept a position based on 'trust me'. The original DNS emerged by accident because nobody was looking. X.500 died because everyone was watching and there was a sufficiently large number of parties who prefered no system to an unacceptable system. As most people here are aware, the Internet has become a forum for proxy-warfare and symbolic warfare. There will be considerable opposition even with the changes I propose: certain parties do not want this system to be secure. A better alternative to a single root structure would be for each RIR to cross certify with the other RIRs. This eliminates the objection to 'US dominance', eliminates ICANN as a roadblock and provides for redundancy. The security difference between the two scheme is that a single root system headed by ICANN could in theory prevent 'defection' by a RIR. In practice this would require a lot more technical mechanism. ICANN would have to certify each mega-block allocation. I don't think it is very likely that end entities are going to be checking the block allocations on every transaction absent an expectation that the RIRs might defect. But the possibility that they might will mean that the RIRs will lose authority should they co-operate with such a scheme. In conclusion, I strongly recommend that we do not repeat the disastrous political mistakes of DNSSEC that have blocked deployment for over a decade and will still continue long after the DNSSEC root is deployed. Deployment of infrastructure on this scale requires that we make a commitment to deployment a higher priority than the realization of a specific technical architecture. -- New Website: http://hallambaker.com/ View Quantum of Stupid podcasts, Tuesday and Thursday each week, http://quantumofstupid.com/ _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf