rpki vs. secure dns?

Russ White russw at riw.us
Mon Apr 30 09:05:40 CDT 2012

>> Neither a DNS based solution nor the RPKI will resolve path attacks,
> I want to be sure of the terminology: what is deployed presently is
> the bundle RPKI+ROA. As their name say, ROA can only be used against
> origin attacks. But RPKI can be used for other things than RPKI+ROA,
> including BGP-sec (against path-based attacks), no?

The RPKI can provide the keying infrastructure on which a mechanism to
"protect the path," (controversial terminology in and of itself) could
be based. Is that the right basis for path validation? I don't know that
we should assume this. But key distribution is the easy part of the
problem here.

The hard part is determining what we're trying to protect and what the
tradeoffs are in trying to defend against those attacks. BGP-SEC assumes
we care about verifying the path a "routing object" takes through the
network, we don't much care about replay attacks, policy is off the
table (except one policy specific folks care about), and operators are
willing to replace their hardware specifically to resolve this problem.

Is this the right set of presuppositions to make? The provider
community, IMHO, hasn't really participated too much in this entire
discussion, so we don't really know the answers to this question.


More information about the NANOG mailing list