On Tue, May 03, 2011 at 03:42:04PM +0200, Erik Bais wrote:
The question is not what you are planning to do within your network with this or how paranoid you plan to be in regards to the tools around this. If you don't want to use the provided tools from RIPE NCC, run your own CA. If you don't want to use RPKI, fine as well, no-body is forcing you.
There is no policy that determines that "everything longer than a /24 is not routable" either. If all your transits insist on rpki-signed advertisements, it becomes de-facto mandatory. The fundamental issue with this proposal is that it, like the block-lists that some governemnts dream of, establishes an infrastructure that is open to abuse. Everything that *can* be abused, no matter how well- intentioned it may have been, *will* be abused. And the last thing, in my opinion, that the DFZ needs is *another* attack vector. Kind Regards, Sascha Luck