nanog mailing list archives

Re: rpki vs. secure dns?

From: Brandon Butterworth <brandon () rd bbc co uk>
Date: Sun, 29 Apr 2012 17:21:23 +0100 (BST)

Thus, removing a certificate or ROA *does NOT* result in an RPKI INVALID
route announcement; the result is RPKI UNKNOWN.


Which is fine until UNKNOWNs are no longer permitted, a logical next
step. It may not apply globally, initially perhaps just a US anti
terrorist measure requiring all networks in the USA do it.

The only way a court order could make a route announcement get the
RPKI status *INVALID* would be to:
1: Remove the original, legitimate ROA
2: Tamper with the Registry, inject a false ROA authorizing another
AS to make the announcement look like a hijack


Domains already get FBI hijacked so this seems plausible too.

All in all, for an RPKI-specific court order to be effective in
taking a network offline, the RIR would have to tamper with the
registry, inject false data and try to make sure it's not detected so
nobody applies a local override.


Doesn't need to be undetected, more likely it'll be quite overt
and have a big don't mess FBI entry in the RIR similar to
www.megaupload.com

brandon

Current thread:

Re: rpki vs. secure dns?, (continued)
- - - Re: rpki vs. secure dns? Dmitry Burkov (Apr 30)
    - Re: rpki vs. secure dns? Randy Bush (Apr 30)
    - Re: rpki vs. secure dns? Jared Mauch (Apr 30)
    - Re: rpki vs. secure dns? Christopher Morrow (Apr 30)
    - Re: rpki vs. secure dns? Dmitry Burkov (Apr 30)
    - Message not available
    - Re: rpki vs. secure dns? Stephane Bortzmeyer (Apr 28)
    - Message not available
    - Re: rpki vs. secure dns? Stephane Bortzmeyer (Apr 28)
    - Re: rpki vs. secure dns? Alex Band (Apr 28)
- Re: rpki vs. secure dns? Saku Ytti (Apr 28)
- Message not available
  - Re: rpki vs. secure dns? Stephane Bortzmeyer (Apr 28)
- Re: rpki vs. secure dns? Brandon Butterworth (Apr 29)
- Re: rpki vs. secure dns? Brandon Butterworth (Apr 30)
  - Re: rpki vs. secure dns? Phil Regnauld (Apr 30)