A top-down RPKI model a threat to human freedom? (was Re: Level 3's IRR Database)
Owen DeLong
owen at delong.com
Wed Feb 2 02:07:24 UTC 2011
On Feb 1, 2011, at 3:53 PM, Karl Auer wrote:
> On Tue, 2011-02-01 at 14:51 -0800, Owen DeLong wrote:
>> If the RIR is signing the "invalid" ROA, how does one distinguish the
>> invalid from the valid?
>
> In systems where the outputs from a computer system are very, very
> critical, a sort of "consensus" takes place (I think they did this in
> some space flights too) - two of three independent systems have to agree
> that the information is correct before it can be acted upon.
>
> Perhaps there is room at the top level for some such mechanism in RPKI?
> That is, treat "the top" not as being one RIR, but as a confederation of
> RIRs, possibly all with the SAME key. If different keys start appearing,
> the one that comes from the most RIRs is considered correct, and the
> other(s) as mavericks.
>
> But I'm speaking from a very deep well of ignorance about RPKI.
>
Indeed... The key is how you identify the signature, essentially.
So, if the bodies all share the same key, then, any one of them can
sign anything and it is indistinguishable from something signed by
the others.
What would be needed would be a triple signature with different
keys (like bank checks that require more than one signature).
However, the usual process for getting something signed through that
system would probably be that A does the authentication process
and then asks B and C to "witness" their signature.
If A has a gun to their head, they're still going to likely be able to
get B and C to "witness" that signature, so, you're still in a fix.
This really isn't an easy problem to solve. Until it is solved, there
are serious questions about RPKI doing more harm than good.
Owen
More information about the NANOG
mailing list