Re: rpki vs. secure dns?

[Alex Band <alexb () ripe net>]

On 29 May 2012, at 16:21, David Conrad wrote:

> On May 29, 2012, at 4:02 AM, paul vixie wrote:
> > > > i can tell more than that. rover is a system that only works at all
> > > > when everything everywhere is working well, and when changes always
> > > > come in perfect time-order,
> > > Exactly like DNSSEC. 
> >
> > no. dnssec for a response only needs that response's delegation and
> > signing path to work, not "everything everywhere".
>
> My impression was that ROVER does not need "everything, everywhere" to work to fetch the routing information for a 
> particular prefix -- it merely needs sufficient routing information to follow the delegation and signing path for the 
> prefix it is looking up. However, I'll admit I haven't looked into this in any particular depth so I'm probably wrong.

RPKI needs the full data set to determine if a BGP prefix has the status 'valid', 'invalid' or 'unknown'. It can't work 
with partial data. For example, if you are the holder of 10.0.0.0/16 and you originate the full aggregate from AS123 
and a more specific such as 10.0.1.0/24 from AS456, then you will need a ROA for both to make them both 'valid'. If you 
only authorize 10.0.0.0/16 with AS123, then the announcement from AS456 will be 'invalid'. If you only authorize 
10.0.1.0/24 from AS456, the announcement from AS123 will remain 'unknown'.

So in RPKI, partial data – so you failed to fetch one of the ROAs in the set – can make something 'invalid' or 
'unknown' that should actually be 'valid'.
http://tools.ietf.org/html/rfc6483#page-3

As far as I know, ROVER doesn't work like that. You can make a positive statement about a Prefix+AS combination, but 
that doesn't mark the origination from another AS 'unauthorized' or 'invalid', there merely isn't a statement for it. 
(Someone please confirm. I may be wrong.)

-Alex