[ris-int] Trip Report: DHS Routing Security Workshop
Daniel Karrenberg daniel.karrenberg at ripe.net
Thu Mar 17 09:59:14 CET 2005
(Homeland Security) HSARPA: - requirements driven research - very flexible contract instruments - small, agile group www.hsarpabaa.com (note .com) www.hsarpabsbir.com HSARPA CYBER PGMS: DNSSEC (Steve Crocker, Russ Mundy, mentions DISI, Olaf) SPRI Routing Security - economics, incentives, deployability This is the first of 5 workshops. Next is probably being after NANOG Seattle, operational requirements. 12 mo (may , summer, sept, nov) HSARPA is about Development, Deployment, less about Research. Want to accelerate processes already happening. Quicker than IETF pace. I'll leave all the discussions to a reference to the position papers which I do not have yet. I'll forward it as soon as I get it. Main points: The main problem remains lack of ISP motivation to do routing security. Business cases are not clear and current level of incidents is clearly below the nuisance level. There appears to be a strong perception that address allocation registries are not accurate, especially for older assignments. Then there is a registry nereded to link address space to routes and their origin addresses. Minor points: There continues to be a need for reliable data about "irregular routes". Idea (Crocker): Intelligently filter routing data and make an "interesting bogon" list. Something for the RIS. Once we get squatting on unallocated addresses dealt with, addresses allocated but not routed will be targeted. RIS mentioned several times as "more accurate and better" than route views. Still route views used most of the time. RIRs mentioned several times as natural places for registries supporting routing security: address space (we do), route origination (new), other policies (maybe). Major consequences for us: We need to quantify the quality of RS data somehow and give a more clear picture of what still needs to be cleaned up and the plan for achieving this including time frames. Appraently we are being too vague. Better do this proactively than in response to an increasing level of questions. We need to keep the RIPE community informed and "in the loop" of routing security developments. We need to consider the route origin registry more stringent and separate from the current routing registry and the address allocation registry. Maybe we want to run things. Minor consequences: Consider a "not routed on the public Internet" attribute for the address space registry. "irregular routes" sifting of RIS. Miscellaneous: RS (still) does not use RIS when it could. (re ASNs). Ginny Listman to chair a group looking into address registries. We need to have someone there.
[ Ris-int Archives ]