[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

rpki vs. secure dns?

Subject: rpki vs. secure dns?
From: bortzmeyer at nic.fr (Stephane Bortzmeyer)
Date: Sun, 29 Apr 2012 18:37:59 +0200
In-reply-to: <17627_1335716979_4F9D6C71_17627_8157_1_F53AFDE0-6034-45F5-9250-A289F72F5657@cs.princeton.edu>
References: <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <CAGFn2k3J1M=8CLZuRZJDSPkoerPXVRW2tdbpj923hQHNaKWtiA@mail.gmail.com> <[email protected]> <[email protected]> <17627_1335716979_4F9D6C71_17627_8157_1_F53AFDE0-6034-45F5-9250-A289F72F5657@cs.princeton.edu>

On Sun, Apr 29, 2012 at 11:28:58AM -0400,
 Jennifer Rexford <jrex at CS.Princeton.EDU> wrote 
 a message of 37 lines which said:

> How does this interact with the presence of certificates for
> supernets, though?  That is, suppose an ISP creates a legitimate ROA
> for 12.0.0.0/8, after ensuring that all of its customers have
> legitimate ROAs for the various subnets of 12.0.0.0/8.  Now, suppose
> one of these customers has its legitimate ROA revoked by a court
> order.  Would the legitimate announcement of that subnet (originated
> by the customer's ASN) still result in UNKNOWN status, or would it
> look like a sub-prefix hijack because the announcement has a
> different ASN than the matching 12.0.0.0/8 prefix?

The second (and therefore Alex Band's example is not good). But it
depends on the value of the MaxLength attribute in the 12.0.0.0/8 ROA
(section 3.3 of RFC 6482).

If, in the future, RIRs or operators create ROAs for all the blocks
they manage, revocation of a ROA will be deadly.

Follow-Ups:
- rpki vs. secure dns?
  - From: waehlisch at ieee.org (Matthias Waehlisch)

References:
- rpki vs. secure dns?
  - From: fw at deneb.enyo.de (Florian Weimer)
- rpki vs. secure dns?
  - From: alexb at ripe.net (Alex Band)
- rpki vs. secure dns?
  - From: nick at foobar.org (Nick Hilliard)
- rpki vs. secure dns?
  - From: regnauld at nsrc.org (Phil Regnauld)
- rpki vs. secure dns?
  - From: nick at foobar.org (Nick Hilliard)
- rpki vs. secure dns?
  - From: alexb at ripe.net (Alex Band)
- rpki vs. secure dns?
  - From: rubensk at gmail.com (Rubens Kuhl)
- rpki vs. secure dns?
  - From: regnauld at nsrc.org (Phil Regnauld)
- rpki vs. secure dns?
  - From: alexb at ripe.net (Alex Band)

Prev by Date: rpki vs. secure dns?
Next by Date: rpki vs. secure dns?
Previous by thread: rpki vs. secure dns?
Next by thread: rpki vs. secure dns?
Index(es):
- Date
- Thread