[153076] in North American Network Operators' Group
Re: rpki vs. secure dns?
daemon@ATHENA.MIT.EDU (Richard Barnes)
Tue May 29 12:35:02 2012
In-Reply-To: <276EF4CD-1710-4F71-8728-894C0433286A@ripe.net>
Date: Tue, 29 May 2012 12:33:51 -0400
From: Richard Barnes <richard.barnes@gmail.com>
To: Alex Band <alexb@ripe.net>
Cc: paul vixie <vixie@isc.org>, nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
>>>>> i can tell more than that. rover is a system that only works at all
>>>>> when everything everywhere is working well, and when changes always
>>>>> come in perfect time-order,
>>>> Exactly like DNSSEC.
>>>
>>> no. dnssec for a response only needs that response's delegation and
>>> signing path to work, not "everything everywhere".
>>
>> My impression was that ROVER does not need "everything, everywhere" to w=
ork to fetch the routing information for a particular prefix -- it merely n=
eeds sufficient routing information to follow the delegation and signing pa=
th for the prefix it is looking up. However, I'll admit I haven't looked in=
to this in any particular depth so I'm probably wrong.
>
> RPKI needs the full data set to determine if a BGP prefix has the status =
'valid', 'invalid' or 'unknown'. It can't work with partial data. For examp=
le, if you are the holder of 10.0.0.0/16 and you originate the full aggrega=
te from AS123 and a more specific such as 10.0.1.0/24 from AS456, then you =
will need a ROA for both to make them both 'valid'. If you only authorize 1=
0.0.0.0/16 with AS123, then the announcement from AS456 will be 'invalid'. =
If you only authorize 10.0.1.0/24 from AS456, the announcement from AS123 w=
ill remain 'unknown'.
>
> So in RPKI, partial data =96 so you failed to fetch one of the ROAs in th=
e set =96 can make something 'invalid' or 'unknown' that should actually be=
'valid'.
> http://tools.ietf.org/html/rfc6483#page-3
I wouldn't read that as saying that the RPKI requires you to have full
data in order to provide any benefit. Where sufficient certs and ROAs
exist to validate an announcement, you can mark it valid/invalid --
just like ROVER, but with a harder failure case.
> As far as I know, ROVER doesn't work like that. You can make a positive s=
tatement about a Prefix+AS combination, but that doesn't mark the originati=
on from another AS 'unauthorized' or 'invalid', there merely isn't a statem=
ent for it. (Someone please confirm. I may be wrong.)
Of course, there's a reason that an announcement that contradicts a
ROA is marked as invalid [RFC6483]. Such announcements are hijacks,
the attacks that the RPKI is designed to prevent. If ROVER doesn't
provide a hard fail here, then it would seem to not be providing much
security benefit.
I agree with the person higher up the thread that ROVER seems like
just another distribution mechanism for what is essentially RPKI data.
--Richard
