[152430] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: rpki vs. secure dns?

daemon@ATHENA.MIT.EDU (Alex Band)
Sun Apr 29 11:17:17 2012

From: Alex Band <alexb@ripe.net>
Date: Sun, 29 Apr 2012 17:16:39 +0200
In-Reply-To: <20120428192843.GD44404@macbook.bluepipe.net>
To: Nanog <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org


--Apple-Mail=_1D58FD6A-4A12-46C8-AADA-959A509C3900
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii


On 28 Apr 2012, at 21:28, Phil Regnauld wrote:

> Rubens Kuhl (rubensk) writes:
>>> In case you feel a BGP announcement should not be "RPKI Invalid" but =
something else, you do what's described on slide 15-17:
>>>=20
>>> https://ripe64.ripe.net/presentations/77-RIPE64-Plenery-RPKI.pdf
>>=20
>> The same currently happens with DNSSEC, doing what Comcast calls
>> "negative trust anchors":
>> http://tools.ietf.org/html/draft-livingood-negative-trust-anchors-01
>=20
> 	Yes, NTAs was the comparison that came to my mind as well. Or =
even
> 	in classic DNS, overriding with stubs. You will get bitten by a =
bogus/
> 	flawed ROA, but you'll have to the chance to mitigate it. Any =
kind of
> 	centralized mechanism like this is subject to these risks, no =
matter
> 	what the distribution mechanism is.

Now that we have cleared up the fact that any RPKI statement can be =
overridden, I want to address another tenacious misunderstanding in =
relation to what Randy said:

On 28 Apr 2012, at 15:58, Randy Bush wrote:

> the worry in the ripe region and elsewhere is what i call the =
'virginia
> court attack', also called the 'dutch court attack'.  some rights =
holder
> claims their movie is being hosted in your datacenter and they get the
> RIR to jerk the attestation to your ownership of the prefix or your =
ROA.

If a Dutch court would order the RIPE NCC to remove a certificate or ROA =
from the system, the effect would be that there no longer is an RPKI =
statement about a BGP route announcement. The result is that the =
announcement will have the RPKI status *UNKNOWN*. It will be like the =
organization never used RPKI to make the statement in the first place.=20=


Thus, removing a certificate or ROA *does NOT* result in an RPKI INVALID =
route announcement; the result is RPKI UNKNOWN.

The only way a court order could make a route announcement get the RPKI =
status *INVALID* would be to:
1: Remove the original, legitimate ROA
2: Tamper with the Registry, inject a false ROA authorizing another AS =
to make the announcement look like a hijack

All in all, for an RPKI-specific court order to be effective in taking a =
network offline, the RIR would have to tamper with the registry, inject =
false data and try to make sure it's not detected so nobody applies a =
local override.

-Alex=

--Apple-Mail=_1D58FD6A-4A12-46C8-AADA-959A509C3900
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGgDCCBnww
ggVkoAMCAQICChKdl94AAAAAAFswDQYJKoZIhvcNAQEFBQAwYDETMBEGCgmSJomT8ixkARkWA25l
dDEUMBIGCgmSJomT8ixkARkWBHJpcGUxFjAUBgoJkiaJk/IsZAEZFgZzaW5nZWwxGzAZBgNVBAMT
EnNpbmdlbC1DSEFLT1RBWS1DQTAeFw0xMTEyMTMyMTA5MzhaFw0xMjEyMTIyMTA5MzhaMIGcMRMw
EQYKCZImiZPyLGQBGRYDbmV0MRQwEgYKCZImiZPyLGQBGRYEcmlwZTEWMBQGCgmSJomT8ixkARkW
BnNpbmdlbDERMA8GA1UECxMIYWNjb3VudHMxETAPBgNVBAsTCFRyYWluaW5nMRIwEAYDVQQDEwlB
bGV4IEJhbmQxHTAbBgkqhkiG9w0BCQEWDmFsZXhiQHJpcGUubmV0MIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQDEPiQlF+TQYCvPJ8cVUc5MTbdE5KuQhIH1kM/YDCjpT5WG/RmPThZjsSI9+9ks
W96XNTOwYR5QIkoFb3B66x5H5KfjdI663R9EUA5h0UDla5vnELCyBeDKSxRx+ikmPHEvv0McZTyX
OrJ6sECyQ4NpVKIn8ATB8MLzlKG8w8WcRQIDAQABo4IDfTCCA3kwFwYJKwYBBAGCNxQCBAoeCABV
AHMAZQByMB0GA1UdDgQWBBR9//WoWoR6weYwP9Sxkl3PNJTmFjAOBgNVHQ8BAf8EBAMCBaAwHwYD
VR0jBBgwFoAUcUDZm8Q8qhTSJLIBxWByJ++A64AwggEgBgNVHR8EggEXMIIBEzCCAQ+gggELoIIB
B4aBwWxkYXA6Ly8vQ049c2luZ2VsLUNIQUtPVEFZLUNBLENOPWNoYWtvdGF5LENOPUNEUCxDTj1Q
dWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXNp
bmdlbCxEQz1yaXBlLERDPW5ldD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0
Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnSGQWh0dHA6Ly9jaGFrb3RheS5zaW5nZWwucmlwZS5u
ZXQvQ2VydEVucm9sbC9zaW5nZWwtQ0hBS09UQVktQ0EuY3JsMIIBNQYIKwYBBQUHAQEEggEnMIIB
IzCBuAYIKwYBBQUHMAKGgatsZGFwOi8vL0NOPXNpbmdlbC1DSEFLT1RBWS1DQSxDTj1BSUEsQ049
UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1z
aW5nZWwsREM9cmlwZSxEQz1uZXQ/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRp
ZmljYXRpb25BdXRob3JpdHkwZgYIKwYBBQUHMAKGWmh0dHA6Ly9jaGFrb3RheS5zaW5nZWwucmlw
ZS5uZXQvQ2VydEVucm9sbC9jaGFrb3RheS5zaW5nZWwucmlwZS5uZXRfc2luZ2VsLUNIQUtPVEFZ
LUNBLmNydDApBgNVHSUEIjAgBgorBgEEAYI3CgMEBggrBgEFBQcDBAYIKwYBBQUHAwIwQAYDVR0R
BDkwN6AlBgorBgEEAYI3FAIDoBcMFWFsZXhiQHNpbmdlbC5yaXBlLm5ldIEOYWxleGJAcmlwZS5u
ZXQwRAYJKoZIhvcNAQkPBDcwNTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAcGBSsO
AwIHMAoGCCqGSIb3DQMHMA0GCSqGSIb3DQEBBQUAA4IBAQAGOufDj5XGO0zZMii/HBsEGTypqDoV
THQwLtzZcofpTHPjgxVkzKEF6xcVflRA/XktZfpMP4/H9xGzRRIYT/ociFeScJBA1vwG1ZP2lKA/
92To0hn9RiPPBEpZMv3cVOsQlVwkrzyY/3yo6K9KuduY5MCzeLrVmYk9m6EONO6HUe5E0fmnNoeT
kJfter/8DuUjvRxWIbpNf4fW/xJWnWm4+qhT1zYut+60w5t8vZQ8OxA1nOrIiJDFqwzArrRFZCa0
B5waOV3rlxrJdAnE8nmPVPgwJnjEIxc/kkFxVjPX/jWtMAmtXUzKLbHYwLbmB8Y/1QyXJNtngY1I
XVnYlukeMYICdTCCAnECAQEwbjBgMRMwEQYKCZImiZPyLGQBGRYDbmV0MRQwEgYKCZImiZPyLGQB
GRYEcmlwZTEWMBQGCgmSJomT8ixkARkWBnNpbmdlbDEbMBkGA1UEAxMSc2luZ2VsLUNIQUtPVEFZ
LUNBAgoSnZfeAAAAAABbMAkGBSsOAwIaBQCgggFdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEw
HAYJKoZIhvcNAQkFMQ8XDTEyMDQyOTE1MTY0MFowIwYJKoZIhvcNAQkEMRYEFIj8p+BTtiI+FnUp
83T8MWz3/HOTMH0GCSsGAQQBgjcQBDFwMG4wYDETMBEGCgmSJomT8ixkARkWA25ldDEUMBIGCgmS
JomT8ixkARkWBHJpcGUxFjAUBgoJkiaJk/IsZAEZFgZzaW5nZWwxGzAZBgNVBAMTEnNpbmdlbC1D
SEFLT1RBWS1DQQIKEp2X3gAAAAAAWzB/BgsqhkiG9w0BCRACCzFwoG4wYDETMBEGCgmSJomT8ixk
ARkWA25ldDEUMBIGCgmSJomT8ixkARkWBHJpcGUxFjAUBgoJkiaJk/IsZAEZFgZzaW5nZWwxGzAZ
BgNVBAMTEnNpbmdlbC1DSEFLT1RBWS1DQQIKEp2X3gAAAAAAWzANBgkqhkiG9w0BAQEFAASBgCcn
VI7jWL75TTqpyy1POsfYuk/j3nmBtZCoX7uGSdjVN4ZJJl4xqcjKJ975Ymcix/YWEga6crurdbUI
V0T40m8/d/e6CuJ9DwYhaaJqyGYIP0+oILt2QRzxskCArMj3PFhNzrk+OhK6UgPcUX+r9QbHWxMR
nvHDpnSd7uMiJ111AAAAAAAA

--Apple-Mail=_1D58FD6A-4A12-46C8-AADA-959A509C3900--
home help back first fref pref prev next nref lref last post