rpki vs. secure dns?

Jennifer Rexford jrex at CS.Princeton.EDU
Sun Apr 29 10:28:58 CDT 2012


>> the worry in the ripe region and elsewhere is what i call the 'virginia
>> court attack', also called the 'dutch court attack'.  some rights holder
>> claims their movie is being hosted in your datacenter and they get the
>> RIR to jerk the attestation to your ownership of the prefix or your ROA.
> 
> If a Dutch court would order the RIPE NCC to remove a certificate or ROA from the system, the effect would be that there no longer is an RPKI statement about a BGP route announcement. The result is that the announcement will have the RPKI status *UNKNOWN*. It will be like the organization never used RPKI to make the statement in the first place. 
> 
> Thus, removing a certificate or ROA *does NOT* result in an RPKI INVALID route announcement; the result is RPKI UNKNOWN.
> 
> The only way a court order could make a route announcement get the RPKI status *INVALID* would be to:
> 1: Remove the original, legitimate ROA
> 2: Tamper with the Registry, inject a false ROA authorizing another AS to make the announcement look like a hijack

How does this interact with the presence of certificates for supernets, though?  That is, suppose an ISP creates a legitimate ROA for 12.0.0.0/8, after ensuring that all of its customers have legitimate ROAs for the various subnets of 12.0.0.0/8.  Now, suppose one of these customers has its legitimate ROA revoked by a court order.  Would the legitimate announcement of that subnet (originated by the customer's ASN) still result in UNKNOWN status, or would it look like a sub-prefix hijack because the announcement has a different ASN than the matching 12.0.0.0/8 prefix?

-- Jen




More information about the NANOG mailing list