nanog mailing list archives
Re: rpki vs. secure dns?
From: Alex Band <alexb () ripe net>
Date: Sun, 29 Apr 2012 17:16:39 +0200
On 28 Apr 2012, at 21:28, Phil Regnauld wrote:
Rubens Kuhl (rubensk) writes:In case you feel a BGP announcement should not be "RPKI Invalid" but something else, you do what's described on slide 15-17: https://ripe64.ripe.net/presentations/77-RIPE64-Plenery-RPKI.pdfThe same currently happens with DNSSEC, doing what Comcast calls "negative trust anchors": http://tools.ietf.org/html/draft-livingood-negative-trust-anchors-01Yes, NTAs was the comparison that came to my mind as well. Or even in classic DNS, overriding with stubs. You will get bitten by a bogus/ flawed ROA, but you'll have to the chance to mitigate it. Any kind of centralized mechanism like this is subject to these risks, no matter what the distribution mechanism is.
Now that we have cleared up the fact that any RPKI statement can be overridden, I want to address another tenacious misunderstanding in relation to what Randy said: On 28 Apr 2012, at 15:58, Randy Bush wrote:
the worry in the ripe region and elsewhere is what i call the 'virginia court attack', also called the 'dutch court attack'. some rights holder claims their movie is being hosted in your datacenter and they get the RIR to jerk the attestation to your ownership of the prefix or your ROA.
If a Dutch court would order the RIPE NCC to remove a certificate or ROA from the system, the effect would be that there no longer is an RPKI statement about a BGP route announcement. The result is that the announcement will have the RPKI status *UNKNOWN*. It will be like the organization never used RPKI to make the statement in the first place. Thus, removing a certificate or ROA *does NOT* result in an RPKI INVALID route announcement; the result is RPKI UNKNOWN. The only way a court order could make a route announcement get the RPKI status *INVALID* would be to: 1: Remove the original, legitimate ROA 2: Tamper with the Registry, inject a false ROA authorizing another AS to make the announcement look like a hijack All in all, for an RPKI-specific court order to be effective in taking a network offline, the RIR would have to tamper with the registry, inject false data and try to make sure it's not detected so nobody applies a local override. -Alex
Attachment:
smime.p7s
Description:
Current thread:
- Re: rpki vs. secure dns?, (continued)
- Re: rpki vs. secure dns? Alex Band (Apr 28)
- Re: rpki vs. secure dns? Florian Weimer (Apr 28)
- Re: rpki vs. secure dns? Alex Band (Apr 28)
- Re: rpki vs. secure dns? Florian Weimer (Apr 28)
- Re: rpki vs. secure dns? Nick Hilliard (Apr 28)
- Re: rpki vs. secure dns? Phil Regnauld (Apr 28)
- Re: rpki vs. secure dns? Nick Hilliard (Apr 28)
- Re: rpki vs. secure dns? Alex Band (Apr 28)
- Re: rpki vs. secure dns? Rubens Kuhl (Apr 28)
- Re: rpki vs. secure dns? Phil Regnauld (Apr 28)
- Re: rpki vs. secure dns? Alex Band (Apr 29)
- Re: rpki vs. secure dns? Jennifer Rexford (Apr 29)
- Message not available
- Re: rpki vs. secure dns? Stephane Bortzmeyer (Apr 29)
- Re: rpki vs. secure dns? Matthias Waehlisch (Apr 29)
- Re: rpki vs. secure dns? Alex Band (Apr 28)
- Re: rpki vs. secure dns? David Conrad (Apr 29)
- Re: rpki vs. secure dns? Alex Band (Apr 29)
- Re: rpki vs. secure dns? Randy Bush (Apr 29)
- Re: rpki vs. secure dns? Nick Hilliard (Apr 29)
- Re: rpki vs. secure dns? Florian Weimer (Apr 30)
- Re: rpki vs. secure dns? Nick Hilliard (Apr 29)
- Re: rpki vs. secure dns? Alex Band (Apr 30)