nanog mailing list archives
Re: rpki vs. secure dns?
From: Alex Band <alexb () ripe net>
Date: Sun, 29 Apr 2012 22:38:39 +0200
On 29 Apr 2012, at 22:03, David Conrad wrote:
Alex, On Apr 29, 2012, at 8:16 AM, Alex Band wrote:All in all, for an RPKI-specific court order to be effective in taking a network offline, the RIR would have to tamper with the registry, inject false data and try to make sure it's not detected so nobody applies a local override.I suspect the court order would simply say something like 'RIPE-NCC must, upon pain of contempt of court, take sufficient steps to invalidate the allocations made to customer X' and leave it up to you all to figure out how to do it. I doubt they'd care all that much about implementation details. Are you saying it is not possible for RIPE-NCC staff to do this? I also doubt the court would care too much about 'local override' as the "Tyranny of Defaults" would be sufficient for their needs (and they could probably sanction the folks in the Netherlands who they discovered did the override). As Randy points out, this is not unique to SIDR-defined RPKI. It is applicable to any top-down hierarchical authorization mechanism. Security has (non-monetary) costs.
Thanks David, I know that a court order doesn't have to specific. I just want to make people aware that in the case of RPKI, things are not as clear cut as "Revoked ROA = Offline network". It depends on many factors and I just want to offer a little perspective of what's involved. -Alex (P.S. I'm going on holiday for a week without internet access, so I won't be able to follow up on this thread for a while)
Attachment:
smime.p7s
Description:
Current thread:
- Re: rpki vs. secure dns?, (continued)
- Re: rpki vs. secure dns? Phil Regnauld (Apr 28)
- Re: rpki vs. secure dns? Nick Hilliard (Apr 28)
- Re: rpki vs. secure dns? Alex Band (Apr 28)
- Re: rpki vs. secure dns? Rubens Kuhl (Apr 28)
- Re: rpki vs. secure dns? Phil Regnauld (Apr 28)
- Re: rpki vs. secure dns? Alex Band (Apr 29)
- Re: rpki vs. secure dns? Jennifer Rexford (Apr 29)
- Message not available
- Re: rpki vs. secure dns? Stephane Bortzmeyer (Apr 29)
- Re: rpki vs. secure dns? Matthias Waehlisch (Apr 29)
- Re: rpki vs. secure dns? David Conrad (Apr 29)
- Re: rpki vs. secure dns? Alex Band (Apr 29)
- Re: rpki vs. secure dns? Randy Bush (Apr 29)
- Re: rpki vs. secure dns? Nick Hilliard (Apr 29)
- Re: rpki vs. secure dns? Florian Weimer (Apr 30)
- Re: rpki vs. secure dns? Nick Hilliard (Apr 29)
- Re: rpki vs. secure dns? Alex Band (Apr 30)
- Re: rpki vs. secure dns? Danny McPherson (Apr 30)
- Re: rpki vs. secure dns? Dmitry Burkov (Apr 30)
- Re: rpki vs. secure dns? Randy Bush (Apr 30)
- Re: rpki vs. secure dns? Jared Mauch (Apr 30)
- Re: rpki vs. secure dns? Christopher Morrow (Apr 30)