[152434] in North American Network Operators' Group
Re: rpki vs. secure dns?
daemon@ATHENA.MIT.EDU (Stephane Bortzmeyer)
Sun Apr 29 12:38:48 2012
Date: Sun, 29 Apr 2012 18:37:59 +0200
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Jennifer Rexford <jrex@CS.Princeton.EDU>
In-Reply-To: <17627_1335716979_4F9D6C71_17627_8157_1_F53AFDE0-6034-45F5-9250-A289F72F5657@cs.princeton.edu>
Cc: Nanog <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sun, Apr 29, 2012 at 11:28:58AM -0400,
Jennifer Rexford <jrex@CS.Princeton.EDU> wrote
a message of 37 lines which said:
> How does this interact with the presence of certificates for
> supernets, though? That is, suppose an ISP creates a legitimate ROA
> for 12.0.0.0/8, after ensuring that all of its customers have
> legitimate ROAs for the various subnets of 12.0.0.0/8. Now, suppose
> one of these customers has its legitimate ROA revoked by a court
> order. Would the legitimate announcement of that subnet (originated
> by the customer's ASN) still result in UNKNOWN status, or would it
> look like a sub-prefix hijack because the announcement has a
> different ASN than the matching 12.0.0.0/8 prefix?
The second (and therefore Alex Band's example is not good). But it
depends on the value of the MaxLength attribute in the 12.0.0.0/8 ROA
(section 3.3 of RFC 6482).
If, in the future, RIRs or operators create ROAs for all the blocks
they manage, revocation of a ROA will be deadly.
