[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Blockchain and Networking

On Tue, Jan 9, 2018 at 10:22 AM, William Herrin <bill at herrin.us> wrote:

> On Tue, Jan 9, 2018 at 1:07 AM, John R. Levine <johnl at iecc.com> wrote:
The promise of blockchain is fraud-resistant recordkeeping, database
management,  AND
resource management maintained by a distributed decentralized network which
eliminates or reduces the extent to which there are central points of trust
involved in
the recordkeeping,

AND can implement resource-management rules or policies programmatically
in an unbiased way  (E.G.  "Smart Contracts").

For example:  A decentralized internet number registry could use a
as the means of making the public records showing the transferrence of the
ownership of a particular  internet number from the originator to the

The potential is there to go a step beyond replacing RPKI,   as a blockchain
could be the AS number authority itself,  thus eliminating the need to
have any centralized organizations for  tracking and managing
number resource assignments.

> How about validating whether a given AS is an acceptable origin for a set
> >> of prefixes?
> That's a job for ordinary PKI. Any time you have a trusted central
> authority to serve as an anchor, ordinary PKI works fine. The RIRs serve as

See:  That's the problem.   Ordinary PKI  DEPENDS on centralized trust --
that is, with PKI there  are  corruptible or potentially corruptible or
compromisable entities in your system  that you assign an unwarranted or
unnecessary level of trust to.

That would include organizations such AS Number and IP Address registries.
Under the current system,  they retain an Unwarranted level of trust,  for
example:  ARIN  Could  Delete an IP address allocation or an AS number
allocation  after it was assigned,    because  someone else told them to,
or  maybe someone didn't like the content on your website and
someone who manipulated or legally forced the central figure to do so.

This would include whatever entities can be signing authorities of your PKI.
This includes any organization with unsecured resource management
such as the DNS Root server, TLD Server operators,  and Domain registrars.

Which includes the risks:
    (1)  The signing authority could be breached by an outsider or insider
    (2)   The signing authority could prove untrustworthy or later change
the rules.
    (3)   The signing authority could be covertly corrupted by a government
            or foreign power: to support nefarious goals or surveilance or

For example:  A DNS Registrar or TLD Registry could make a change to the DS
Key or remove
the DS Key and confiscate a domain to intercept traffic, without even the
of the original registrant.