[address-policy-wg] 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) going to Last Call
- Previous message (by thread): [address-policy-wg] 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) going to Last Call
- Next message (by thread): [address-policy-wg] 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) going to Last Call
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Sascha Luck
lists-ripe at c4inet.net
Tue May 3 17:44:22 CEST 2011
On Tue, May 03, 2011 at 03:42:04PM +0200, Erik Bais wrote: >The question is not what you are planning to do within your network with >this or how paranoid you plan to be in regards to the tools around this. >If you don't want to use the provided tools from RIPE NCC, run your own CA. >If you don't want to use RPKI, fine as well, no-body is forcing you. There is no policy that determines that "everything longer than a /24 is not routable" either. If all your transits insist on rpki-signed advertisements, it becomes de-facto mandatory. The fundamental issue with this proposal is that it, like the block-lists that some governemnts dream of, establishes an infrastructure that is open to abuse. Everything that *can* be abused, no matter how well- intentioned it may have been, *will* be abused. And the last thing, in my opinion, that the DFZ needs is *another* attack vector. Kind Regards, Sascha Luck
- Previous message (by thread): [address-policy-wg] 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) going to Last Call
- Next message (by thread): [address-policy-wg] 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) going to Last Call
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]