rpki vs. secure dns?
Matthias Waehlisch
waehlisch at ieee.org
Sun Apr 29 19:40:17 UTC 2012
On Sun, 29 Apr 2012, Stephane Bortzmeyer wrote:
> > How does this interact with the presence of certificates for
> > supernets, though? That is, suppose an ISP creates a legitimate ROA
> > for 12.0.0.0/8, after ensuring that all of its customers have
> > legitimate ROAs for the various subnets of 12.0.0.0/8. Now, suppose
> > one of these customers has its legitimate ROA revoked by a court
> > order. Would the legitimate announcement of that subnet (originated
> > by the customer's ASN) still result in UNKNOWN status, or would it
> > look like a sub-prefix hijack because the announcement has a
> > different ASN than the matching 12.0.0.0/8 prefix?
>
> The second (and therefore Alex Band's example is not good). But it
> depends on the value of the MaxLength attribute in the 12.0.0.0/8 ROA
> (section 3.3 of RFC 6482).
>
unclear as the scenario doesn't depend on the maxLength (wrt the
current specs). If there are valid covering ROAs in the RPKI and none of
them match in the origin AS (customer ROA removed), the route prefix is
invalid.
The scenario is similar to the case in which the ISP starts to create
a ROA for a superblock before the customer adds its route prefix into
the RPKI ... this happened with AT&T during testing, for example,
https://labs.ripe.net/Members/waehlisch/one-day-in-the-life-of-rpki
Cheers
matthias
--
Matthias Waehlisch
. Freie Universitaet Berlin, Inst. fuer Informatik, AG CST
. Takustr. 9, D-14195 Berlin, Germany
.. mailto:waehlisch at ieee.org .. http://www.inf.fu-berlin.de/~waehl
:. Also: http://inet.cpt.haw-hamburg.de .. http://www.link-lab.net
More information about the NANOG
mailing list