[152438] in North American Network Operators' Group
Re: rpki vs. secure dns?
daemon@ATHENA.MIT.EDU (Alex Band)
Sun Apr 29 16:39:19 2012
From: Alex Band <alexb@ripe.net>
In-Reply-To: <C52DD1FB-987B-466B-AB00-9098608B67BC@virtualized.org>
Date: Sun, 29 Apr 2012 22:38:39 +0200
To: David Conrad <drc@virtualized.org>
Cc: Nanog <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--Apple-Mail=_D36291EE-C881-485B-B72F-40258F114A40
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
On 29 Apr 2012, at 22:03, David Conrad wrote:
> Alex,
>=20
> On Apr 29, 2012, at 8:16 AM, Alex Band wrote:
>> All in all, for an RPKI-specific court order to be effective in =
taking a network offline, the RIR would have to tamper with the =
registry, inject false data and try to make sure it's not detected so =
nobody applies a local override.
>=20
> I suspect the court order would simply say something like 'RIPE-NCC =
must, upon pain of contempt of court, take sufficient steps to =
invalidate the allocations made to customer X' and leave it up to you =
all to figure out how to do it. I doubt they'd care all that much about =
implementation details. Are you saying it is not possible for RIPE-NCC =
staff to do this? I also doubt the court would care too much about =
'local override' as the "Tyranny of Defaults" would be sufficient for =
their needs (and they could probably sanction the folks in the =
Netherlands who they discovered did the override).
>=20
> As Randy points out, this is not unique to SIDR-defined RPKI. It is =
applicable to any top-down hierarchical authorization mechanism. =
Security has (non-monetary) costs.
Thanks David, I know that a court order doesn't have to specific. I just =
want to make people aware that in the case of RPKI, things are not as =
clear cut as "Revoked ROA =3D Offline network". It depends on many =
factors and I just want to offer a little perspective of what's =
involved.
-Alex
(P.S. I'm going on holiday for a week without internet access, so I =
won't be able to follow up on this thread for a while)
--Apple-Mail=_D36291EE-C881-485B-B72F-40258F114A40
Content-Disposition: attachment;
filename=smime.p7s
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGgDCCBnww
ggVkoAMCAQICChKdl94AAAAAAFswDQYJKoZIhvcNAQEFBQAwYDETMBEGCgmSJomT8ixkARkWA25l
dDEUMBIGCgmSJomT8ixkARkWBHJpcGUxFjAUBgoJkiaJk/IsZAEZFgZzaW5nZWwxGzAZBgNVBAMT
EnNpbmdlbC1DSEFLT1RBWS1DQTAeFw0xMTEyMTMyMTA5MzhaFw0xMjEyMTIyMTA5MzhaMIGcMRMw
EQYKCZImiZPyLGQBGRYDbmV0MRQwEgYKCZImiZPyLGQBGRYEcmlwZTEWMBQGCgmSJomT8ixkARkW
BnNpbmdlbDERMA8GA1UECxMIYWNjb3VudHMxETAPBgNVBAsTCFRyYWluaW5nMRIwEAYDVQQDEwlB
bGV4IEJhbmQxHTAbBgkqhkiG9w0BCQEWDmFsZXhiQHJpcGUubmV0MIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQDEPiQlF+TQYCvPJ8cVUc5MTbdE5KuQhIH1kM/YDCjpT5WG/RmPThZjsSI9+9ks
W96XNTOwYR5QIkoFb3B66x5H5KfjdI663R9EUA5h0UDla5vnELCyBeDKSxRx+ikmPHEvv0McZTyX
OrJ6sECyQ4NpVKIn8ATB8MLzlKG8w8WcRQIDAQABo4IDfTCCA3kwFwYJKwYBBAGCNxQCBAoeCABV
AHMAZQByMB0GA1UdDgQWBBR9//WoWoR6weYwP9Sxkl3PNJTmFjAOBgNVHQ8BAf8EBAMCBaAwHwYD
VR0jBBgwFoAUcUDZm8Q8qhTSJLIBxWByJ++A64AwggEgBgNVHR8EggEXMIIBEzCCAQ+gggELoIIB
B4aBwWxkYXA6Ly8vQ049c2luZ2VsLUNIQUtPVEFZLUNBLENOPWNoYWtvdGF5LENOPUNEUCxDTj1Q
dWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXNp
bmdlbCxEQz1yaXBlLERDPW5ldD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0
Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnSGQWh0dHA6Ly9jaGFrb3RheS5zaW5nZWwucmlwZS5u
ZXQvQ2VydEVucm9sbC9zaW5nZWwtQ0hBS09UQVktQ0EuY3JsMIIBNQYIKwYBBQUHAQEEggEnMIIB
IzCBuAYIKwYBBQUHMAKGgatsZGFwOi8vL0NOPXNpbmdlbC1DSEFLT1RBWS1DQSxDTj1BSUEsQ049
UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1z
aW5nZWwsREM9cmlwZSxEQz1uZXQ/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRp
ZmljYXRpb25BdXRob3JpdHkwZgYIKwYBBQUHMAKGWmh0dHA6Ly9jaGFrb3RheS5zaW5nZWwucmlw
ZS5uZXQvQ2VydEVucm9sbC9jaGFrb3RheS5zaW5nZWwucmlwZS5uZXRfc2luZ2VsLUNIQUtPVEFZ
LUNBLmNydDApBgNVHSUEIjAgBgorBgEEAYI3CgMEBggrBgEFBQcDBAYIKwYBBQUHAwIwQAYDVR0R
BDkwN6AlBgorBgEEAYI3FAIDoBcMFWFsZXhiQHNpbmdlbC5yaXBlLm5ldIEOYWxleGJAcmlwZS5u
ZXQwRAYJKoZIhvcNAQkPBDcwNTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAcGBSsO
AwIHMAoGCCqGSIb3DQMHMA0GCSqGSIb3DQEBBQUAA4IBAQAGOufDj5XGO0zZMii/HBsEGTypqDoV
THQwLtzZcofpTHPjgxVkzKEF6xcVflRA/XktZfpMP4/H9xGzRRIYT/ociFeScJBA1vwG1ZP2lKA/
92To0hn9RiPPBEpZMv3cVOsQlVwkrzyY/3yo6K9KuduY5MCzeLrVmYk9m6EONO6HUe5E0fmnNoeT
kJfter/8DuUjvRxWIbpNf4fW/xJWnWm4+qhT1zYut+60w5t8vZQ8OxA1nOrIiJDFqwzArrRFZCa0
B5waOV3rlxrJdAnE8nmPVPgwJnjEIxc/kkFxVjPX/jWtMAmtXUzKLbHYwLbmB8Y/1QyXJNtngY1I
XVnYlukeMYICdTCCAnECAQEwbjBgMRMwEQYKCZImiZPyLGQBGRYDbmV0MRQwEgYKCZImiZPyLGQB
GRYEcmlwZTEWMBQGCgmSJomT8ixkARkWBnNpbmdlbDEbMBkGA1UEAxMSc2luZ2VsLUNIQUtPVEFZ
LUNBAgoSnZfeAAAAAABbMAkGBSsOAwIaBQCgggFdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEw
HAYJKoZIhvcNAQkFMQ8XDTEyMDQyOTIwMzgzOVowIwYJKoZIhvcNAQkEMRYEFJ2Kp3gKlJ11KEnr
5rY5FHK4M+E4MH0GCSsGAQQBgjcQBDFwMG4wYDETMBEGCgmSJomT8ixkARkWA25ldDEUMBIGCgmS
JomT8ixkARkWBHJpcGUxFjAUBgoJkiaJk/IsZAEZFgZzaW5nZWwxGzAZBgNVBAMTEnNpbmdlbC1D
SEFLT1RBWS1DQQIKEp2X3gAAAAAAWzB/BgsqhkiG9w0BCRACCzFwoG4wYDETMBEGCgmSJomT8ixk
ARkWA25ldDEUMBIGCgmSJomT8ixkARkWBHJpcGUxFjAUBgoJkiaJk/IsZAEZFgZzaW5nZWwxGzAZ
BgNVBAMTEnNpbmdlbC1DSEFLT1RBWS1DQQIKEp2X3gAAAAAAWzANBgkqhkiG9w0BAQEFAASBgEXq
c0wxH0A4d2Bui5jl5Rh2OZGEO2GySTwl6FarYqGMJPmpkqXREvEyW27GN7Ea5IxMiYdJ14fCA9bs
yYr941yVak4kNKEBrTOD3kSaK1JZnWekDdOmyMzngou3ZoM2rDUWn+KpdDh1uu12i/VnFFAkF3+Y
7MfeqtladUIF6IGyAAAAAAAA
--Apple-Mail=_D36291EE-C881-485B-B72F-40258F114A40--
