[153074] in North American Network Operators' Group
Re: rpki vs. secure dns?
daemon@ATHENA.MIT.EDU (Alex Band)
Tue May 29 11:25:09 2012
From: Alex Band <alexb@ripe.net>
In-Reply-To: <6C8F01BD-72C5-4361-B5C8-6603B24B426C@virtualized.org>
Date: Tue, 29 May 2012 17:23:29 +0200
To: David Conrad <drc@virtualized.org>
Cc: paul vixie <vixie@isc.org>, nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 29 May 2012, at 16:21, David Conrad wrote:
> On May 29, 2012, at 4:02 AM, paul vixie wrote:
>>>> i can tell more than that. rover is a system that only works at all
>>>> when everything everywhere is working well, and when changes always
>>>> come in perfect time-order,
>>> Exactly like DNSSEC.=20
>>=20
>> no. dnssec for a response only needs that response's delegation and
>> signing path to work, not "everything everywhere".
>=20
> My impression was that ROVER does not need "everything, everywhere" to =
work to fetch the routing information for a particular prefix -- it =
merely needs sufficient routing information to follow the delegation and =
signing path for the prefix it is looking up. However, I'll admit I =
haven't looked into this in any particular depth so I'm probably wrong.
RPKI needs the full data set to determine if a BGP prefix has the status =
'valid', 'invalid' or 'unknown'. It can't work with partial data. For =
example, if you are the holder of 10.0.0.0/16 and you originate the full =
aggregate from AS123 and a more specific such as 10.0.1.0/24 from AS456, =
then you will need a ROA for both to make them both 'valid'. If you only =
authorize 10.0.0.0/16 with AS123, then the announcement from AS456 will =
be 'invalid'. If you only authorize 10.0.1.0/24 from AS456, the =
announcement from AS123 will remain 'unknown'.
So in RPKI, partial data =96 so you failed to fetch one of the ROAs in =
the set =96 can make something 'invalid' or 'unknown' that should =
actually be 'valid'.
http://tools.ietf.org/html/rfc6483#page-3
As far as I know, ROVER doesn't work like that. You can make a positive =
statement about a Prefix+AS combination, but that doesn't mark the =
origination from another AS 'unauthorized' or 'invalid', there merely =
isn't a statement for it. (Someone please confirm. I may be wrong.)
-Alex=
