[ppml] routing certificate usefulness [Policy Proposal: IPv4 Soft Landing]

[Pekka Savola]

On Fri, 18 May 2007, Jeroen Massar wrote:
...
> The good thing would be that you at least know for sure that the certs
> that you do accept and verify correctly, that they are really the ones
> they claim they are and not some s[cp]ammer somewhere.

I'm not sure how that'd help most of the network operators in practice 
until a critical mass is reached.

>From upstreams where you basically get a default route, there's little 
difference whether someone uses routing certificates as your traffic 
is going to go there in any case because 99.5% of networks won't use 
routing certificates.

The good thing is that if your peers use routing certificates, their 
traffic cannot be hijacked by another peer or someone in the Internet. 
So, there's some incentive to deploy this for those who have a 
significant number of non-transit peers.

In your own advertisements the main benefit seems to be that those 
folks that do verify routing certificates might be able to reject 
hijacked advertisements from someone else, but this isn't going to 
work very well until most of the networks in the middle would verify 
routing certificates.  Given that the networks in the middle have 
established the business of forwarding whatever they're given and paid 
for, I'm not sure how interested they'd be to deploy s*BGP.

Have I mised something ?

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings