rpki vs. secure dns?

Matthias Waehlisch waehlisch at ieee.org
Sun Apr 29 14:40:17 CDT 2012


On Sun, 29 Apr 2012, Stephane Bortzmeyer wrote:

> > How does this interact with the presence of certificates for 
> > supernets, though?  That is, suppose an ISP creates a legitimate ROA 
> > for 12.0.0.0/8, after ensuring that all of its customers have 
> > legitimate ROAs for the various subnets of 12.0.0.0/8.  Now, suppose 
> > one of these customers has its legitimate ROA revoked by a court 
> > order.  Would the legitimate announcement of that subnet (originated 
> > by the customer's ASN) still result in UNKNOWN status, or would it 
> > look like a sub-prefix hijack because the announcement has a 
> > different ASN than the matching 12.0.0.0/8 prefix?
> 
> The second (and therefore Alex Band's example is not good). But it 
> depends on the value of the MaxLength attribute in the 12.0.0.0/8 ROA 
> (section 3.3 of RFC 6482).
> 
  unclear as the scenario doesn't depend on the maxLength (wrt the 
current specs). If there are valid covering ROAs in the RPKI and none of 
them match in the origin AS (customer ROA removed), the route prefix is 
invalid.

  The scenario is similar to the case in which the ISP starts to create 
a ROA for a superblock before the customer adds its route prefix into 
the RPKI ... this happened with AT&T during testing, for example, 
https://labs.ripe.net/Members/waehlisch/one-day-in-the-life-of-rpki



Cheers
  matthias

-- 
Matthias Waehlisch
.  Freie Universitaet Berlin, Inst. fuer Informatik, AG CST
.  Takustr. 9, D-14195 Berlin, Germany
.. mailto:waehlisch at ieee.org .. http://www.inf.fu-berlin.de/~waehl
:. Also: http://inet.cpt.haw-hamburg.de .. http://www.link-lab.net



More information about the NANOG mailing list