nanog mailing list archives

Re: rpki vs. secure dns?

From: Alex Band <alexb () ripe net>
Date: Sun, 29 Apr 2012 17:16:39 +0200


On 28 Apr 2012, at 21:28, Phil Regnauld wrote:

Rubens Kuhl (rubensk) writes:

In case you feel a BGP announcement should not be "RPKI Invalid" but something else, you do what's described on 
slide 15-17:

https://ripe64.ripe.net/presentations/77-RIPE64-Plenery-RPKI.pdf


The same currently happens with DNSSEC, doing what Comcast calls
"negative trust anchors":
http://tools.ietf.org/html/draft-livingood-negative-trust-anchors-01


      Yes, NTAs was the comparison that came to my mind as well. Or even
      in classic DNS, overriding with stubs. You will get bitten by a bogus/
      flawed ROA, but you'll have to the chance to mitigate it. Any kind of
      centralized mechanism like this is subject to these risks, no matter
      what the distribution mechanism is.


Now that we have cleared up the fact that any RPKI statement can be overridden, I want to address another tenacious 
misunderstanding in relation to what Randy said:

On 28 Apr 2012, at 15:58, Randy Bush wrote:

the worry in the ripe region and elsewhere is what i call the 'virginia
court attack', also called the 'dutch court attack'.  some rights holder
claims their movie is being hosted in your datacenter and they get the
RIR to jerk the attestation to your ownership of the prefix or your ROA.


If a Dutch court would order the RIPE NCC to remove a certificate or ROA from the system, the effect would be that 
there no longer is an RPKI statement about a BGP route announcement. The result is that the announcement will have the 
RPKI status *UNKNOWN*. It will be like the organization never used RPKI to make the statement in the first place. 

Thus, removing a certificate or ROA *does NOT* result in an RPKI INVALID route announcement; the result is RPKI UNKNOWN.

The only way a court order could make a route announcement get the RPKI status *INVALID* would be to:
1: Remove the original, legitimate ROA
2: Tamper with the Registry, inject a false ROA authorizing another AS to make the announcement look like a hijack

All in all, for an RPKI-specific court order to be effective in taking a network offline, the RIR would have to tamper 
with the registry, inject false data and try to make sure it's not detected so nobody applies a local override.

-Alex

Attachment: smime.p7s
Description:

Current thread:

Re: rpki vs. secure dns?, (continued)
- - Re: rpki vs. secure dns? Alex Band (Apr 28)
    - Re: rpki vs. secure dns? Florian Weimer (Apr 28)
    - Re: rpki vs. secure dns? Alex Band (Apr 28)
    - Re: rpki vs. secure dns? Florian Weimer (Apr 28)
    - Re: rpki vs. secure dns? Nick Hilliard (Apr 28)
    - Re: rpki vs. secure dns? Phil Regnauld (Apr 28)
    - Re: rpki vs. secure dns? Nick Hilliard (Apr 28)
    - Re: rpki vs. secure dns? Alex Band (Apr 28)
    - Re: rpki vs. secure dns? Rubens Kuhl (Apr 28)
    - Re: rpki vs. secure dns? Phil Regnauld (Apr 28)
    - Re: rpki vs. secure dns? Alex Band (Apr 29)
    - Re: rpki vs. secure dns? Jennifer Rexford (Apr 29)
    - Message not available
    - Re: rpki vs. secure dns? Stephane Bortzmeyer (Apr 29)
    - Re: rpki vs. secure dns? Matthias Waehlisch (Apr 29)
    - Re: rpki vs. secure dns? David Conrad (Apr 29)
    - Re: rpki vs. secure dns? Alex Band (Apr 29)
    - Re: rpki vs. secure dns? Randy Bush (Apr 29)
    - Re: rpki vs. secure dns? Nick Hilliard (Apr 29)
    - Re: rpki vs. secure dns? Florian Weimer (Apr 30)
    - Re: rpki vs. secure dns? Nick Hilliard (Apr 29)
    - Re: rpki vs. secure dns? Alex Band (Apr 30)

(Thread continues...)