rpki vs. secure dns?

Randy Bush randy at psg.com
Sat Apr 28 08:58:00 CDT 2012

[ sorry cameron, trying to keep things down to one message ]

> http://tech.slashdot.org/story/12/04/27/2039237/engineers-ponder-easier-fix-to-internet-problem
> http://www.itworld.com/security/272320/engineers-ponder-easier-fix-dangerous-internet-problem

and don't miss


free dinner at nanog/van for anyone who can explain how the dnssec
approach meets the defcon attack.  hint: it is a path attack, not an
origin attack, and the dns pidgeon has no hooks to path attack
prevention.  at ripe, joe gersh asked me for an example of a path attack
and i told him of the defcon demo.  seems he also did not bother to do
his homework.  but it makes good pr.

someone selling dnssec appliances flew a press release that a few
reporters bought without doing their homework.  end of net predicted,
news at eleven.

> Taking what seriously ? The commitments to rpki you speak off ?

a thousand LIRs in the ripe region, 500 elsewhere?  cisco code shipping
on a number of platforms, juniper soon.  some of us have actually
started validating route origins in the real network using rpki and
cisco and juniper (test) code.


Saku Ytti <saku at ytti.fi> wrote:
> If two fails don't make win, then I think ROVER is better solution,
> doesn't need any changes to BGP just little software magic when
> accepting routes.

you are right, you have not done your homework.  rpki-based origin
validation asks no changes to bgp.

> People might scared to rely on DNS on accepting routes, but is this
> really an issue?

yes.  rpki can also have that issue as the certs can have urls that use
domain names.  i believe they could use ip address urls instead.  but
the gathering operation differs greatly between the rpki and the dnssec
based proposal.  with the latter, you can't even tell you have the full


the worry in the ripe region and elsewhere is what i call the 'virginia
court attack', also called the 'dutch court attack'.  some rights holder
claims their movie is being hosted in your datacenter and they get the
RIR to jerk the attestation to your ownership of the prefix or your ROA.

this problem is inherent in any system which uses the address allocation
administrative hierarchy to attest to address space ownership, whether
rpki, dns-based, or hollerith cards.

i do not like it either.  but it is a trade you make for security.  and,
at ripe ljubljana, i think alex started to discuss some schemes to
ameliorate it.  more later on this.



More information about the NANOG mailing list