[153078] in North American Network Operators' Group
Re: rpki vs. secure dns?
daemon@ATHENA.MIT.EDU (Richard Barnes)
Tue May 29 13:38:50 2012
In-Reply-To: <4F4FBD95-846F-4A4F-B0B9-54C765B5ECC0@ripe.net>
Date: Tue, 29 May 2012 13:37:45 -0400
From: Richard Barnes <richard.barnes@gmail.com>
To: Alex Band <alexb@ripe.net>
Cc: paul vixie <vixie@isc.org>, nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
>>> So in RPKI, partial data =96 so you failed to fetch one of the ROAs in =
the set =96 can make something 'invalid' or 'unknown' that should actually =
be 'valid'.
>>> http://tools.ietf.org/html/rfc6483#page-3
>>
>> I wouldn't read that as saying that the RPKI requires you to have full
>> data in order to provide any benefit. =A0Where sufficient certs and ROAs
>> exist to validate an announcement, you can mark it valid/invalid --
>> just like ROVER, but with a harder failure case.
>
> I don't mean that you need ROAs describing every route announcement in ex=
istence for it to be useful.
>
> What I mean is for an operator to determine if a route announcement is RP=
KI valid, invalid or unknown, they will need *all* ROAs that *have been cre=
ated*. If they miss a ROA in the data set during the fetching process, a ro=
ute can end up with the incorrect validity state. See my example.
Oh, ok sure. The validation outcomes with full data will be different
than with partial data. But that's why the "unknown" state is there
-- as there's more data, things move from "unknown" to
"valid/invalid".
>>> As far as I know, ROVER doesn't work like that. You can make a positive=
statement about a Prefix+AS combination, but that doesn't mark the origina=
tion from another AS 'unauthorized' or 'invalid', there merely isn't a stat=
ement for it. (Someone please confirm. I may be wrong.)
>>
>> Of course, there's a reason that an announcement that contradicts a
>> ROA is marked as invalid [RFC6483]. =A0Such announcements are hijacks,
>> the attacks that the RPKI is designed to prevent. =A0If ROVER doesn't
>> provide a hard fail here, then it would seem to not be providing much
>> security benefit.
>
> That does seem the case. I don't think ROVER provides a hard fail. Can so=
meone confirm?
>
>> I agree with the person higher up the thread that ROVER seems like
>> just another distribution mechanism for what is essentially RPKI data.
>
> But does that distribution method easily allow you to get the full set of=
available data?
From what little I know, it seems to me that ROVER is optimized for
point queries, rather than bulk data access. Which is the opposite of
making it easy to get full data :)
--Richard
