nanog mailing list archives
Re: BGP to doom us all
From: Michael.Dillon () radianz com
Date: Mon, 3 Mar 2003 11:53:51 +0000
I like the idea of people being able to START on the authentication datbase of ownership/announcement in a distributed fashion, but perhaps there are other ways (perhaps DNS-based) of getting there as well...
Yes there are other ways and I suggest that the optimal choice of protocol for publishing this information is LDAP, not DNS. That's because there is no need for kludges to get the data that you need into LDAP since it supports a wide variety of data types. It can also be used in a hierarchical referral chain just like DNS. I am suggesting that the starting point here is to get ARIN to set up an LDAP server to authoritatively identify the leaseholder for all IP address space. Next step is to get ISPs to replace their creaking antiquated rwhois servers with LDAP servers. And then build up tools that use the data from the LDAP hierarchy to generate route filters, configure firewalls, manage SMTP filters, etc. If people want a PKI cert hierarchy, that data can go into the same servers. If people want to have secure BGP sessions they can have their network management system talking to the LDAP hierarchy to check certs and then tell their routers what to do. A router should never have to do any crypto itself.
: My opinion is that lazy operational practices are the single biggest
threat to
: the Internet.
One of the lazy operational practices is the proliferation of crudely hacked tools, often written in PERL which is like a swiss army knife made by tying together a knife, pliers, nailfile and screwdriver using dental floss and duct tape. There was a time when the net was growing too fast to plan and nobody had any experience or any benefit of hindsight. But times have changed and we now need to replace some of this rotting infrastructure with better general purpose tools that have some architectural planning behind them. Something like a Leatherman tool or a Victorinox swiss army knife. I believe that LDAP can be the core of this toolset. I also believe that we need to stop relying on the packet-forwarding box to do the entire job of routing and start using more auxiliary CPU power in a vendor independent way. There is plenty of experience in building rackmount Intel-based BSD/Linux servers that run as reliably as the routers themselves. Let these boxes do the job of authenticating and authorising route exchange and similar jobs. --Michael Dillon
Current thread:
- RE: Who uses RADB? [was BGP to doom us all], (continued)
- RE: Who uses RADB? [was BGP to doom us all] Michael Hallgren (Mar 01)
- Re: Who uses RADB? [was BGP to doom us all] Richard A Steenbergen (Mar 01)
- Re: Who uses RADB? [was BGP to doom us all] Jeffrey Meltzer (Mar 01)
- Re: BGP to doom us all Avi Freedman (Mar 01)
- Re: BGP to doom us all Sean Donelan (Mar 01)
- Re: BGP to doom us all Andy Dills (Mar 01)
- Re: BGP to doom us all Avi Freedman (Mar 02)
- Re: BGP to doom us all Iljitsch van Beijnum (Mar 02)
- Re: BGP to doom us all Jack Bates (Mar 03)
- Re: BGP to doom us all E.B. Dreger (Mar 03)
- Re: BGP to doom us all Michael . Dillon (Mar 03)
- Re: BGP to doom us all Stephane Bortzmeyer (Mar 03)
- Re: BGP to doom us all bmanning (Mar 03)
- RE: BGP to doom us all St. Clair, James (Mar 03)
- RE: BGP to doom us all Kuhtz, Christian (Mar 03)
- Re: BGP to doom us all bmanning (Mar 03)
- Re: BGP to doom us all David Conrad (Mar 03)
- Re: BGP to doom us all Michael . Dillon (Mar 03)
- Re: BGP to doom us all Michael . Dillon (Mar 03)