rpki vs. secure dns?

Alex Band alexb at ripe.net
Sun Apr 29 10:16:39 CDT 2012


On 28 Apr 2012, at 21:28, Phil Regnauld wrote:

> Rubens Kuhl (rubensk) writes:
>>> In case you feel a BGP announcement should not be "RPKI Invalid" but something else, you do what's described on slide 15-17:
>>> 
>>> https://ripe64.ripe.net/presentations/77-RIPE64-Plenery-RPKI.pdf
>> 
>> The same currently happens with DNSSEC, doing what Comcast calls
>> "negative trust anchors":
>> http://tools.ietf.org/html/draft-livingood-negative-trust-anchors-01
> 
> 	Yes, NTAs was the comparison that came to my mind as well. Or even
> 	in classic DNS, overriding with stubs. You will get bitten by a bogus/
> 	flawed ROA, but you'll have to the chance to mitigate it. Any kind of
> 	centralized mechanism like this is subject to these risks, no matter
> 	what the distribution mechanism is.

Now that we have cleared up the fact that any RPKI statement can be overridden, I want to address another tenacious misunderstanding in relation to what Randy said:

On 28 Apr 2012, at 15:58, Randy Bush wrote:

> the worry in the ripe region and elsewhere is what i call the 'virginia
> court attack', also called the 'dutch court attack'.  some rights holder
> claims their movie is being hosted in your datacenter and they get the
> RIR to jerk the attestation to your ownership of the prefix or your ROA.

If a Dutch court would order the RIPE NCC to remove a certificate or ROA from the system, the effect would be that there no longer is an RPKI statement about a BGP route announcement. The result is that the announcement will have the RPKI status *UNKNOWN*. It will be like the organization never used RPKI to make the statement in the first place. 

Thus, removing a certificate or ROA *does NOT* result in an RPKI INVALID route announcement; the result is RPKI UNKNOWN.

The only way a court order could make a route announcement get the RPKI status *INVALID* would be to:
1: Remove the original, legitimate ROA
2: Tamper with the Registry, inject a false ROA authorizing another AS to make the announcement look like a hijack

All in all, for an RPKI-specific court order to be effective in taking a network offline, the RIR would have to tamper with the registry, inject false data and try to make sure it's not detected so nobody applies a local override.

-Alex
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2355 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20120429/40bf274f/attachment.bin>


More information about the NANOG mailing list