On Tue, Apr 21, 2020 at 12:17 PM Matt Corallo via NANOG <nanog@nanog.org> wrote: > > Not sure how this helps? If RIPE (or a government official/court) decides the > sanctions against Iranian LIRs prevents them from issuing number resources to > said LIRs, they would just remove the delegation. They’d probably then issue > an AS0 ROA to replace out given the “AS0 ROA for bogons” policy. In an hour > or so these LIRs are now disconnected from the world. >
1) there are other ways the black helicopter people can do their business, this is but one new lever. 2) this is the sort of thing that local TAL / SLURM are meant to help 'fix'. 3) see the long discussions of this in the sidr/sidr-ops wg lists :( > > On Apr 21, 2020, at 02:30, Alex Band <a...@nlnetlabs.nl> wrote: > > > > > >> On 21 Apr 2020, at 11:09, Baldur Norddahl <baldur.nordd...@gmail.com> > >> wrote: > >> > >> > >> > >>> On 21.04.2020 10.56, Sander Steffann wrote: > >>> Hi, > >>> > >>>> Removing a resource from the certificate to achieve the goal you > >>>> describe will make the route announcement NotFound, which means it will > >>>> be accepted. Evil RIR would have to replace an existing ROA with one > >>>> that explicitly makes a route invalid, i.e. issue an AS0 ROA for > >>>> specific member prefix. This seems like a pretty convoluted way to try > >>>> and take a network offline. > >>> I've seen worse… > >>> Sander > >>> > >> > >> As long Good RIR continues to publish a valid ROA for the real ASN that > >> evil AS0 ROA would have no effect? > > > > Correct. > > > > Should this really be a concern, then you can run Delegated RPKI. In that > > case the RIR can’t tamper with your ROA because it’s not on their systems. > > Evil RIR could only revoke a prefix from your certificate or your entire > > certificate, but again, your BGP announcements would fall back to NotFound > > and would be accepted. > > > > -Alex >