1) BGP Security Concerns
The primary security concern that needs to be addressed is the
incentive to hijack legitimate IP address blocks via BGP spoofing.
This is something the IAB should consider as a matter of urgency.
The only proposal made in the area (Kent) is undeployable, it requires
adding IPSEC to every router on the backbone which ain't happening and is
It is very clear that the ISPs will be deploying IP based
authentication schemes in the near future regardless of concerns raised by
2) DNS Security Concerns
The DNS statement is incorrect. The DNS does have security, it just
is not very good and it is not cryptographically based.
The cookie mechanism is limited to a 16 bit cookie. This could be
easily extended to 128 bits by means of a dummy resource request.
DNSSEC is undeployable as currently specified. The IESG is aware of
3) We do not need yet another IP authentication scheme.
At this point proposing yet another scheme based on the same
principles does not contribute to the discussion.
Asrg mailing list