[152431] in North American Network Operators' Group
Re: rpki vs. secure dns?
daemon@ATHENA.MIT.EDU (Jennifer Rexford)
Sun Apr 29 11:29:40 2012
From: Jennifer Rexford <jrex@CS.Princeton.EDU>
In-Reply-To: <E2519DBA-2A15-48F4-B32C-A8C346BC1AE1@ripe.net>
Date: Sun, 29 Apr 2012 11:28:58 -0400
To: Alex Band <alexb@ripe.net>
Cc: Nanog <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
>> the worry in the ripe region and elsewhere is what i call the =
'virginia
>> court attack', also called the 'dutch court attack'. some rights =
holder
>> claims their movie is being hosted in your datacenter and they get =
the
>> RIR to jerk the attestation to your ownership of the prefix or your =
ROA.
>=20
> If a Dutch court would order the RIPE NCC to remove a certificate or =
ROA from the system, the effect would be that there no longer is an RPKI =
statement about a BGP route announcement. The result is that the =
announcement will have the RPKI status *UNKNOWN*. It will be like the =
organization never used RPKI to make the statement in the first place.=20=
>=20
> Thus, removing a certificate or ROA *does NOT* result in an RPKI =
INVALID route announcement; the result is RPKI UNKNOWN.
>=20
> The only way a court order could make a route announcement get the =
RPKI status *INVALID* would be to:
> 1: Remove the original, legitimate ROA
> 2: Tamper with the Registry, inject a false ROA authorizing another AS =
to make the announcement look like a hijack
How does this interact with the presence of certificates for supernets, =
though? That is, suppose an ISP creates a legitimate ROA for =
12.0.0.0/8, after ensuring that all of its customers have legitimate =
ROAs for the various subnets of 12.0.0.0/8. Now, suppose one of these =
customers has its legitimate ROA revoked by a court order. Would the =
legitimate announcement of that subnet (originated by the customer's =
ASN) still result in UNKNOWN status, or would it look like a sub-prefix =
hijack because the announcement has a different ASN than the matching =
12.0.0.0/8 prefix?
-- Jen
