nanog mailing list archives
Re: "Is BGP safe yet?" test
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Tue, 21 Apr 2020 12:25:33 -0400
On Tue, Apr 21, 2020 at 12:17 PM Matt Corallo via NANOG <nanog () nanog org> wrote:
Not sure how this helps? If RIPE (or a government official/court) decides the sanctions against Iranian LIRs prevents them from issuing number resources to said LIRs, they would just remove the delegation. They’d probably then issue an AS0 ROA to replace out given the “AS0 ROA for bogons” policy. In an hour or so these LIRs are now disconnected from the world.
1) there are other ways the black helicopter people can do their business, this is but one new lever. 2) this is the sort of thing that local TAL / SLURM are meant to help 'fix'. 3) see the long discussions of this in the sidr/sidr-ops wg lists :(
On Apr 21, 2020, at 02:30, Alex Band <alex () nlnetlabs nl> wrote: On 21 Apr 2020, at 11:09, Baldur Norddahl <baldur.norddahl () gmail com> wrote:On 21.04.2020 10.56, Sander Steffann wrote: Hi,Removing a resource from the certificate to achieve the goal you describe will make the route announcement NotFound, which means it will be accepted. Evil RIR would have to replace an existing ROA with one that explicitly makes a route invalid, i.e. issue an AS0 ROA for specific member prefix. This seems like a pretty convoluted way to try and take a network offline.I've seen worse… SanderAs long Good RIR continues to publish a valid ROA for the real ASN that evil AS0 ROA would have no effect?Correct. Should this really be a concern, then you can run Delegated RPKI. In that case the RIR can’t tamper with your ROA because it’s not on their systems. Evil RIR could only revoke a prefix from your certificate or your entire certificate, but again, your BGP announcements would fall back to NotFound and would be accepted. -Alex
Current thread:
- Re: "Is BGP safe yet?" test, (continued)
- Re: "Is BGP safe yet?" test Denys Fedoryshchenko (Apr 20)
- Re: "Is BGP safe yet?" test Baldur Norddahl (Apr 20)
- Re: "Is BGP safe yet?" test Mark Tinka (Apr 20)
- Re: "Is BGP safe yet?" test Baldur Norddahl (Apr 20)
- Re: "Is BGP safe yet?" test Matt Corallo via NANOG (Apr 20)
- Re: "Is BGP safe yet?" test Alex Band (Apr 21)
- Re: "Is BGP safe yet?" test Sander Steffann (Apr 21)
- Re: "Is BGP safe yet?" test Baldur Norddahl (Apr 21)
- Re: "Is BGP safe yet?" test Alex Band (Apr 21)
- Re: "Is BGP safe yet?" test Matt Corallo via NANOG (Apr 21)
- Re: "Is BGP safe yet?" test Christopher Morrow (Apr 21)
- Re: "Is BGP safe yet?" test Alex Band (Apr 21)
- Re: "Is BGP safe yet?" test Matt Corallo via NANOG (Apr 21)
- Re: "Is BGP safe yet?" test Rubens Kuhl (Apr 21)
- Re: "Is BGP safe yet?" test Matt Corallo via NANOG (Apr 21)
- Re: "Is BGP safe yet?" test Danny McPherson (Apr 22)
- Re: "Is BGP safe yet?" test Warren Kumari (Apr 22)
- Re: "Is BGP safe yet?" test Matt Corallo via NANOG (Apr 21)
- Re: "Is BGP safe yet?" test Andrey Kostin (Apr 22)