On Jul 20, 2006, at 7:11 PM, Tony Li wrote:
>
>
>> Should there be a requirement that any proposed
security
>> system must be
>> useful even if deployed in a noncontiguous way? Or
should
>> this not be a
>> requirement?
>
>
> IMHO, the requirement should be that it be possible to
have
> incremental
> deployment, with benefit at least proportional to the
extent of the
> deployment.
>
> The very nature of BGP implies that you will end up
with incremental
> noncontiguous deployments. If there are no benefits
until
> contiguity is
> restored, then there will be no adoption, and hence no
point in
> creating
> the solution in the first place.
Agreed,
A successful standard will allow for deployments that are
not yet
interconnected. Those folks doing BGP in support of the
Internet
will appreciate the ability to secure local sections of the
Internet
and at least offer a higher degree of probability that they
will not
have prefixes hijacked etc... BTW, we also discussed the
likelihood
of making the selection of a "secure" route part
of the BGP path
selection process.
The specific paragraph that started this was intended to
note the
fact that we will be unable to have a "flag day"
for BGP. It is
highly unlikely we will have the entire Internet converted
quickly.
There will be pockets of "insecure" and areas
that are "secure" that
are connected to/through insecure networks.
The folks "not" doing BGP for the Internet are
likely to have some
needs WRT partial deployment as well and I believe that most
of us
have seen or will see cases where a partial deployment aids
in a full
deployment later.
Regards,
Blaine
_______________________________________________
RPSEC mailing list
RPSEC ietf.org
https://
www1.ietf.org/mailman/listinfo/rpsec
|