Towards an RPKI-rich Internet (and the appropriate allocation of responsibility in the event an RIR RPKI CA outage)
Nick Hilliard
nick at foobar.org
Mon Oct 1 16:44:17 UTC 2018
John Curran wrote on 01/10/2018 00:21:
> There is likely some on the nanog mailing list who have a view on this
> matter, so I pose the question of "who should be responsible" for
> consequences of RPKI RIR CA failure to this list for further discussion.
other replies in this thread have assumed that RPKI CA failure modes are
restricted to loss of availability, but there are others failure modes,
for example:
- fraud: rogue CA employee / external threat actor signs ROAs illegitimately
- negligence: CA accidentally signs illegitimate ROAs due to e.g.
software bug
- force majeure: e.g. court orders CA to sign prefix with AS0,
complicated by NIR RPKI delegation in jurisdictions which may have
difficult relations with other parts of the world.
These types of situations are well-trodden territory for other types of
PKI CA, where users
Otherwise, as other people have pointed out, catastrophic systems
failure at the CA is designed to be fail-safe. I.e. if the CA goes
away, ROAs will be evaluated as "unknown" and life will continue on. If
people misconfigure their networks and do silly things with this
specific failure mode, that's their problem. You can't stop people from
aiming guns at their feet and pulling the trigger.
Nick
More information about the NANOG
mailing list