Is Secured Routing a Market Failure?

Author: Geoff Huston       The Internet represents a threshold moment for the communications realm in many ways. It altered the immediate end client of the network service from humans to computers. It changed the communications model from synchronized end-to-end service to asynchronous, and from virtual circuits to packet…


Dark

I’d like to reflect on a presentation by Dr. Paul Vixie at the October 2022 meeting of the North American Network Operators Group (NANOG), on the topic of the shift to pervasive encryption of application transactions on the Internet today. There is a view out there that any useful public…


Revocation

Two years ago, I wrote an article on X.509 certificate revocation. I’d like to report that a lot has happened between then and now, but that’s not the case. So why revisit this topic today? What drew my attention was a tweet earlier this month that reported that the Certification…


Some Notes from RIPE 83

The RIPE community held a meeting in November. Like most community meetings in these Covid-blighted times it was a virtual meeting. Here’s my notes from a few presentations that piqued my interest. All the material presented at the meeting can be found at https://ripe83.ripe.net/. Vulnerability Disclosure Responsible Disclosure is a…


NANOG 83

The network operations community is cautiously heading back into a mode of in person meetings and the NANOG meeting at the start of November was a hybrid affair with a mix of in-person and virtual participation, both by the presenters and the attendees. I was one of the virtual mob,…


RSA vs ECDSA for DNSSEC

It has often been said of technology standards that the good thing is that there are just so many to pick from! The same is true, to perhaps a more limited extent, in the world of cryptography. The choices may not be quite so diverse, but there are still many…


TLS with a side of DANE

Am I really talking to you? In a networked world that’s an important question. For example, where I’m located, when I look up the DNS name www.google.com I get the IPv6 address 2404:6800:4006:813::2004. This implies that when I send an IPv6 packet to this destination address I will reach a…


Measuring ROAs and ROV

There are a number of parts to the current framework that we’re using to improve routing security on the Internet. Prefix holders should generate validly signed Route Origination Attestations (ROAs) and have them published, Network operators should maintain a current local cache of these signed objects and use then to…