Re: rpki vs. secure dns?

On Mon, 28 May 2012, David Conrad wrote: As far as I can tell, ROVER is simply Yet Another RPKI Access Method like rsync and bittorrent with its own positives and negatives. Not quite. ROVER's SRO & RLOCK statements have different semantics than RPKI ROAs, and there are semantics that may no

Re: rpki vs. secure dns?

Another difference between RPKI and ROVER which hasn't come up much: RPKI incorporates a lot of pre-existing machinery from X.509 et al. This drags in some tedious detail which makes people's eyes cross, but it gives us some tools which simply aren't available in DNS at present. In particular, X.

Re: rpki vs. secure dns?

>> I would also ask people to expand their minds beyond the "it must >> have a (near-)real-time mechanism" directly coupled to the Control >> Plane" for a variety of reasons. Such a tight coupling of /any/ two >> systems inevitably, and unfortunately, will only fail at scale in >> ways that likely

Re: rpki vs. secure dns?

"ah, the force is strong in this one." On 2012-05-30 3:52 AM, Shane Amante wrote: > On May 29, 2012, at 9:23 AM, Alex Band wrote: >> ... >> >> As far as I know, ROVER doesn't work like that. You can make a positive >> statement about a Prefix+AS combination, but that doesn't mark the >> originat

Re: rpki vs. secure dns?

Paul, On May 29, 2012, at 8:44 PM, Paul Vixie wrote: > On 2012-05-29 5:37 PM, Richard Barnes wrote: I agree with the person higher up the thread that ROVER seems like just another distribution mechanism for what is essentially RPKI data. > > noting, that up-thread person also said "i ha

Re: rpki vs. secure dns?

Alex, First, I would note that there is a talk specifically on this subject coming up at NANOG 55, which is scheduled for Tuesday afternoon from 2:30 - 3 PM. (Note, I'm not giving the talk, just pointing out that your questions may best be followed up face-to-face then). Anyway, see below. O

Re: rpki vs. secure dns?

> http://www.cafepress.com/nxdomain/8592477 > randy, who will be wearing his at nanog oops! should acknowledge that it was a gracious gift from geoff, to whom i had introduced http://sugru.com/ the hacker's playdough randy

Re: rpki vs. secure dns?

http://www.cafepress.com/nxdomain/8592477 randy, who will be wearing his at nanog

Re: rpki vs. secure dns?

On 2012-05-29 5:37 PM, Richard Barnes wrote: >>> I agree with the person higher up the thread that ROVER seems like >>> just another distribution mechanism for what is essentially RPKI data. noting, that up-thread person also said "i havn't studied this in detail so i'm probably wrong." >> But do

Re: rpki vs. secure dns?

On May 29, 2012, at 8:23 AM, Alex Band wrote: > RPKI needs the full data set to determine if a BGP prefix has the status > 'valid', 'invalid' or 'unknown'. It can't work with partial data. I think I now understand concerns about scaling... :-) Regards, -drc

Re: rpki vs. secure dns?

>>> So in RPKI, partial data – so you failed to fetch one of the ROAs in the >>> set – can make something 'invalid' or 'unknown' that should actually be >>> 'valid'. >>> http://tools.ietf.org/html/rfc6483#page-3 >> >> I wouldn't read that as saying that the RPKI requires you to have full >> data

Re: rpki vs. secure dns?

On 29 May 2012, at 18:33, Richard Barnes wrote: >> i can tell more than that. rover is a system that only works at all >> when everything everywhere is working well, and when changes always >> come in perfect time-order, > Exactly like DNSSEC. no. dnssec for a response

Re: rpki vs. secure dns?

> i can tell more than that. rover is a system that only works at all > when everything everywhere is working well, and when changes always > come in perfect time-order, Exactly like DNSSEC. >>> >>> no. dnssec for a response only needs that response's delegation and >>> signing pat

Re: rpki vs. secure dns?

On 29 May 2012, at 16:21, David Conrad wrote: > On May 29, 2012, at 4:02 AM, paul vixie wrote: i can tell more than that. rover is a system that only works at all when everything everywhere is working well, and when changes always come in perfect time-order, >>> Exactly like DNSSEC.

Re: rpki vs. secure dns?

On May 29, 2012, at 4:02 AM, paul vixie wrote: >>> i can tell more than that. rover is a system that only works at all >>> when everything everywhere is working well, and when changes always >>> come in perfect time-order, >> Exactly like DNSSEC. > > no. dnssec for a response only needs that resp

Re: rpki vs. secure dns?

On 5/29/2012 10:27 AM, Stephane Bortzmeyer wrote: > On Mon, May 28, 2012 at 10:01:59PM +, > paul vixie wrote > a message of 37 lines which said: > >> i can tell more than that. rover is a system that only works at all >> when everything everywhere is working well, and when changes always >>

Re: rpki vs. secure dns?

On Mon, May 28, 2012 at 08:59:28PM +, Paul Vixie wrote a message of 43 lines which said: > ROVER expects that we will query for policy at the instant of > need. that's nuts for a lot of reasons, one of which is its > potentially and unmanageably circular dependency on the acceptance > of a

Re: rpki vs. secure dns?

On Mon, May 28, 2012 at 10:01:59PM +, paul vixie wrote a message of 37 lines which said: > i can tell more than that. rover is a system that only works at all > when everything everywhere is working well, and when changes always > come in perfect time-order, Exactly like DNSSEC. So, DNSSE

Re: rpki vs. secure dns?

On 5/28/2012 9:42 PM, David Conrad wrote: > On May 28, 2012, at 1:59 PM, Paul Vixie wrote: >> third, rsync's dependencies on routing (as in the RPKI+ROA case) are not >> circular (which i think was david conrad's point but i'll drag it to here.) > Nope. My point was that anything that uses the Int

Re: rpki vs. secure dns?

On May 28, 2012, at 1:59 PM, Paul Vixie wrote: > third, rsync's dependencies on routing (as in the RPKI+ROA case) are not > circular (which i think was david conrad's point but i'll drag it to here.) Nope. My point was that anything that uses the Internet to fetch the data (including rsync) has

Re: rpki vs. secure dns?

more "threads from the crypt" as i catch up to 6000 missed nanog posts. "Dobbins, Roland" writes: > On Apr 28, 2012, at 5:17 PM, Saku Ytti wrote: > >> People might scared to rely on DNS on accepting routes, but is this >> really an issue? > > Yes, recursive dependencies are an issue. I'm really

Re: rpki vs. secure dns?

On May 2, 2012, at 12:46 AM, Russ White wrote: > There are situations where it won't work (mostly thinking high mobility > environments, or complete system failures), but these don't seem to be big > "stoppers," to me Within the next 10 years, everything/everywhere is going to become a 'h

Re: rpki vs. secure dns?

On Sun, 2012-04-29 at 21:50 +0100, Nick Hilliard wrote: > - the RIPE NCC is now funding a project for which there is no > consensus policy supported by the RIPE community, and is doing this on > the basis of a hair's breath majority vote amongst its membership. Not only were the vote extremely na

Re: rpki vs. secure dns?

> Yes, recursive dependencies are an issue. I'm really surprised that folks > are even seriously considering something like this, but OTOH, this sort of > thing keeps cropping up in various contexts from time to time, sigh. There are only a couple of ways to get past recursive dependencies. Y

Re: rpki vs. secure dns?

Roland, On May 1, 2012, at 8:49 AM, Dobbins, Roland wrote: > On May 1, 2012, at 8:18 PM, David Conrad wrote: >>> It's hard to take seriously any proposal which is predicated upon recursive >>> dependencies. >> Do you mean the need to be able to use [X] to fetch the data to enable you >> to use [

Re: rpki vs. secure dns?

On May 1, 2012, at 10:31 PM, John Kristoff wrote: > As Radia says in her book, we're probably stuck with BGP forever, but I > frequently wonder if she is right in suggesting we could have done > better by having a link state protocol instead. At the time, link-state protocols weren't practical

Re: rpki vs. secure dns?

On May 1, 2012, at 8:18 PM, David Conrad wrote: > Do you mean the need to be able to use rsync to fetch the data to enable you > to use rsync? A lot more than just rsync is necessary in order to allow rsync transactions to work. But, you know this already. ;> > Or the need to be able to use

Re: rpki vs. secure dns?

On Mon, 30 Apr 2012 11:46:06 -0400 Randy Bush wrote: > > We need more flexible, distributed architecture behind - no matter - > > which interests will be lobbied as we have got already. > > as i agree that there is a problem, i *very* eagerly await your > proposal As Radia says in her book, we'

Re: rpki vs. secure dns?

On May 1, 2012, at 4:34 AM, Dobbins, Roland wrote: > On Apr 28, 2012, at 5:05 AM, Paul Vixie wrote: >> is anybody taking it seriously? > It's hard to take seriously any proposal which is predicated upon recursive > dependencies. Do you mean the need to be able to use rsync to fetch the data to en

Re: rpki vs. secure dns?

On Apr 28, 2012, at 5:17 PM, Saku Ytti wrote: > People might scared to rely on DNS on accepting routes, but is this really an > issue? Yes, recursive dependencies are an issue. I'm really surprised that folks are even seriously considering something like this, but OTOH, this sort of thing k

Re: rpki vs. secure dns?

On Apr 28, 2012, at 5:05 AM, Paul Vixie wrote: > is anybody taking it seriously? It's hard to take seriously any proposal which is predicated upon recursive dependencies. --- Roland Dobbins //

Re: rpki vs. secure dns?

Randy: > as i agree that there is a problem, i *very* eagerly await your proposal Reality: A few years back there were a half a dozen options proposed. soBGP, pgBGP, IRR based solutions, etc. Just recently PSVs were discussed and dismissed as a live option. Why? 1. Only S-BGP/BGP-SEC will solve

Re: rpki vs. secure dns?

On Mon, Apr 30, 2012 at 11:51 AM, Jared Mauch wrote: > Personally I find the BitTorrent approach interesting. this conflates the 2 (at least!) topics here: 1) distribution of repository data 2) heirarchy of authority for the data which is in the repository -chris > On Apr 30, 2012, at 11:46

Re: rpki vs. secure dns?

* Alex Band: > All in all, for an RPKI-specific court order to be effective in > taking a network offline, the RIR would have to tamper with the > registry, inject false data and try to make sure it's not detected > so nobody applies a local override. Please keep in mind that this is what's happe

Re: rpki vs. secure dns?

Randy - you know that I'm enough stupid- means straightforward - may be the way is not only technical (recomendations design) - but also to combine with some policy changes as splitting allocations and assignments (may be changing who is responsible for what?) Or we follow the traditional way(

Re: rpki vs. secure dns?

Personally I find the BitTorrent approach interesting. Jared Mauch On Apr 30, 2012, at 11:46 AM, Randy Bush wrote: >> We need more flexible, distributed architecture behind - no matter - >> which interests will be lobbied as we have got already. > > as i agree that there is a problem, i *very

Re: rpki vs. secure dns?

> We need more flexible, distributed architecture behind - no matter - > which interests will be lobbied as we have got already. as i agree that there is a problem, i *very* eagerly await your proposal randy

Re: rpki vs. secure dns?

Danny, just one more comment. So named vendor's support can be the worst case when there are no practical ways to deploy and it is absolutely not clear - should we follow this hierarchical model - I think it is the key point as we pushed ourselves by inertia to this way of thinking. Imho -

Re: rpki vs. secure dns?

On Apr 28, 2012, at 6:34 AM, Alex Band wrote: > All in all, RPKI has really good traction and with native router support in > Cisco, Juniper and Quagga, this is only getting better. We should be more careful with statements such as this, they're conflating important things that add to the co

Re: rpki vs. secure dns?

Brandon Butterworth (brandon) writes: > > or you wait for the Elders of the Internet to visit with blessings > http://www.youtube.com/watch?v=iDbyYGrswtg Didn't randy just chime in ?

Re: rpki vs. secure dns?

> Reality check: I don't know that this is all that important, in the end. > So long as you can use an IGP locally with a default route to reach a > copy of the database, whether it be based on DNS, an RPKI, or anything > else, then you can bootstrap your EGP routing. If everything goes down > at t

Re: rpki vs. secure dns?

>> Neither a DNS based solution nor the RPKI will resolve path attacks, > > I want to be sure of the terminology: what is deployed presently is > the bundle RPKI+ROA. As their name say, ROA can only be used against > origin attacks. But RPKI can be used for other things than RPKI+ROA, > including

Re: rpki vs. secure dns?

> I want to be sure of the terminology: what is deployed presently is > the bundle RPKI+ROA. As their name say, ROA can only be used against > origin attacks. But RPKI can be used for other things than RPKI+ROA, > including BGP-sec (against path-based attacks), no? wfm

Re: rpki vs. secure dns?

On Mon, Apr 30, 2012 at 09:41:51AM -0400, Russ White wrote a message of 60 lines which said: > Neither a DNS based solution nor the RPKI will resolve path attacks, I want to be sure of the terminology: what is deployed presently is the bundle RPKI+ROA. As their name say, ROA can only be used

Re: rpki vs. secure dns?

> free dinner at nanog/van for anyone who can explain how the dnssec > approach meets the defcon attack. hint: it is a path attack, not an > origin attack, and the dns pidgeon has no hooks to path attack > prevention. at ripe, joe gersh asked me for an example of a path attack > and i told him o

Re: rpki vs. secure dns?

On 29 Apr 2012, at 22:50, Nick Hilliard wrote: > On 28/04/2012 14:04, Alex Band wrote: >> At RIPE 63, six months ago, the RIPE NCC membership got a chance to vote >> on RPKI at the general meeting. The result was that the RIPE NCC has the >> green light to continue offering the Resource Certifica

Re: rpki vs. secure dns?

> As Randy points out, this is not unique to SIDR-defined RPKI. It is > applicable to any top-down hierarchical authorization mechanism. > Security has (non-monetary) costs. as this derives from address space ownership's dependence on the current hierarchic administrative allocation model, to fix

Re: rpki vs. secure dns?

On 28/04/2012 14:04, Alex Band wrote: > At RIPE 63, six months ago, the RIPE NCC membership got a chance to vote > on RPKI at the general meeting. The result was that the RIPE NCC has the > green light to continue offering the Resource Certification service, > including all BGP Origin Validation re

Re: rpki vs. secure dns?

On 29 Apr 2012, at 22:03, David Conrad wrote: > Alex, > > On Apr 29, 2012, at 8:16 AM, Alex Band wrote: >> All in all, for an RPKI-specific court order to be effective in taking a >> network offline, the RIR would have to tamper with the registry, inject >> false data and try to make sure it's

Re: rpki vs. secure dns?

On 29/04/2012 16:16, Alex Band wrote: > All in all, for an RPKI-specific court order to be effective in taking a > network offline, the RIR would have to tamper with the registry, inject > false data and try to make sure it's not detected so nobody applies a > local override. You mean, like an FBI

Re: rpki vs. secure dns?

Alex, On Apr 29, 2012, at 8:16 AM, Alex Band wrote: > All in all, for an RPKI-specific court order to be effective in taking a > network offline, the RIR would have to tamper with the registry, inject false > data and try to make sure it's not detected so nobody applies a local > override. I s

Re: rpki vs. secure dns?

On Sun, 29 Apr 2012, Stephane Bortzmeyer wrote: > > How does this interact with the presence of certificates for > > supernets, though? That is, suppose an ISP creates a legitimate ROA > > for 12.0.0.0/8, after ensuring that all of its customers have > > legitimate ROAs for the various subnet

Re: rpki vs. secure dns?

On Sun, Apr 29, 2012 at 11:28:58AM -0400, Jennifer Rexford wrote a message of 37 lines which said: > How does this interact with the presence of certificates for > supernets, though? That is, suppose an ISP creates a legitimate ROA > for 12.0.0.0/8, after ensuring that all of its customers ha

Re: rpki vs. secure dns?

> Thus, removing a certificate or ROA *does NOT* result in an RPKI INVALID > route announcement; the result is RPKI UNKNOWN. Which is fine until UNKNOWNs are no longer permitted, a logical next step. It may not apply globally, initially perhaps just a US anti terrorist measure requiring all networ

Re: rpki vs. secure dns?

>> the worry in the ripe region and elsewhere is what i call the 'virginia >> court attack', also called the 'dutch court attack'. some rights holder >> claims their movie is being hosted in your datacenter and they get the >> RIR to jerk the attestation to your ownership of the prefix or your RO

Re: rpki vs. secure dns?

On 28 Apr 2012, at 21:28, Phil Regnauld wrote: > Rubens Kuhl (rubensk) writes: >>> In case you feel a BGP announcement should not be "RPKI Invalid" but >>> something else, you do what's described on slide 15-17: >>> >>> https://ripe64.ripe.net/presentations/77-RIPE64-Plenery-RPKI.pdf >> >> The

Re: rpki vs. secure dns?

Rubens Kuhl (rubensk) writes: > > In case you feel a BGP announcement should not be "RPKI Invalid" but > > something else, you do what's described on slide 15-17: > > > > https://ripe64.ripe.net/presentations/77-RIPE64-Plenery-RPKI.pdf > > The same currently happens with DNSSEC, doing what Comcas

Re: rpki vs. secure dns?

> In case you feel a BGP announcement should not be "RPKI Invalid" but > something else, you do what's described on slide 15-17: > > https://ripe64.ripe.net/presentations/77-RIPE64-Plenery-RPKI.pdf The same currently happens with DNSSEC, doing what Comcast calls "negative trust anchors": http://t

Re: rpki vs. secure dns?

On 28 Apr 2012, at 19:45, Nick Hilliard wrote: > On 28/04/2012 18:27, Phil Regnauld wrote: >> To me that seems like the most obvious problem, but as Alex put it, >> "Everyone has the ability to apply an override on data they do not >> trust, >> or have a specific local policy for.

Re: rpki vs. secure dns?

On 28/04/2012 18:27, Phil Regnauld wrote: > To me that seems like the most obvious problem, but as Alex put it, > "Everyone has the ability to apply an override on data they do not > trust, > or have a specific local policy for." So what do you suggest to do with a roa lookup wh

Re: rpki vs. secure dns?

Nick Hilliard (nick) writes: > > Leaving aside technical matters, this is one of the more contentious > political issues with RPKI. RPKI is a tool which can be used to locally > influence routing decisions, but allows centralised control of prefix > authenticity. If this central point is influen

Re: rpki vs. secure dns?

On 28/04/2012 14:04, Alex Band wrote: > they do not trust, or have a specific local policy for. In the toolsets > for using the RPKI data set for routing decisions, such as the RIPE NCC > RPKI Validator, every possible step is taken is taken to ensure that the > operator is in the driver's seat. L

Re: rpki vs. secure dns?

* Alex Band: > At RIPE 63, six months ago, the RIPE NCC membership got a chance to > vote on RPKI at the general meeting. The result was that the RIPE > NCC has the green light to continue offering the Resource > Certification service, including all BGP Origin Validation related > functionality.

Re: rpki vs. secure dns?

> first thing that sprung to mind was this: > http://www.cafepress.com.au/nxdomain geoff wore one at ripe64. i was soo green with envy that he has graciously sent one to meet me when i get home from travails. see http://archive.psg.com/001213.ietf-dns.pdf for my comments on the subject at an

Re: rpki vs. secure dns?

[ sorry cameron, trying to keep things down to one message ] > http://tech.slashdot.org/story/12/04/27/2039237/engineers-ponder-easier-fix-to-internet-problem > http://www.itworld.com/security/272320/engineers-ponder-easier-fix-dangerous-internet-problem and don't miss http://www.theregister.co.

Re: rpki vs. secure dns?

On Sat, Apr 28, 2012 at 01:17:10PM +0300, Saku Ytti wrote a message of 27 lines which said: > I think ROVER is better solution, doesn't need any changes to BGP > just little software magic when accepting routes. I like Rover but RPKI+ROA does not change BGP either (it will be a different stor

Re: rpki vs. secure dns?

On 28 Apr 2012, at 14:57, Stephane Bortzmeyer wrote: > On Sat, Apr 28, 2012 at 12:34:52PM +0200, > Alex Band wrote > a message of 41 lines which said: > >> In reality, since the RIRs launched an RPKI production service on 1 >> Jan 2011, adoption has been incredibly good (for example compared t

Re: rpki vs. secure dns?

At RIPE 63, six months ago, the RIPE NCC membership got a chance to vote on RPKI at the general meeting. The result was that the RIPE NCC has the green light to continue offering the Resource Certification service, including all BGP Origin Validation related functionality. It's correct that conc

Re: rpki vs. secure dns?

On Sat, Apr 28, 2012 at 12:34:52PM +0200, Alex Band wrote a message of 41 lines which said: > In reality, since the RIRs launched an RPKI production service on 1 > Jan 2011, adoption has been incredibly good (for example compared to > IPv6 and DNSSEC). More than 1500 ISPs and large organizatio

Re: rpki vs. secure dns?

On Sat, Apr 28, 2012 at 03:04:07AM -0700, Randy Bush wrote a message of 9 lines which said: > draft-bates-bgp4-nlri-orig-verif-00.txt was '98 > > and we dropped it for good reasons Unfortunately, we have RFCs for good ideas but bad ideas never get documented by the IETF (one of the few excep

Re: rpki vs. secure dns?

* Alex Band: >> I don't know if we can get RPKI to deployment because RIPE and RIPE >> NCC have rather serious issues with it. On the other hand, there >> doesn't seem to be anything else which keeps RIRs relevant in the >> post-scarcity world, so we'll see what happens. > > Could you elaborate o

Re: rpki vs. secure dns?

On 28 Apr 2012, at 11:56, Florian Weimer wrote: > * Paul Vixie: > >> this seems late, compared to the various commitments made to rpki in >> recent years. is anybody taking it seriously? > > The idea as such isn't new, this has been floating around for four > years or more, including at least o

Re: rpki vs. secure dns?

On (2012-04-27 22:05 +), Paul Vixie wrote: > this seems late, compared to the various commitments made to rpki in > recent years. is anybody taking it seriously? (disclaimer I'm almost completely clueless on RPKI). If two fails don't make win, then I think ROVER is better solution, doesn't n

Re: rpki vs. secure dns?

> The idea as such isn't new, this has been floating around for four > years or more, including at least one Internet draft, > draft-donnerhacke-sidr-bgp-verification-dnssec. draft-bates-bgp4-nlri-orig-verif-00.txt was '98 and we dropped it for good reasons randy

Re: rpki vs. secure dns?

* Paul Vixie: > this seems late, compared to the various commitments made to rpki in > recent years. is anybody taking it seriously? The idea as such isn't new, this has been floating around for four years or more, including at least one Internet draft, draft-donnerhacke-sidr-bgp-verification-dns

Re: rpki vs. secure dns?

line 408 ff. in the IETF 83 SIDR minutes * http://www.ietf.org/proceedings/83/minutes/minutes-83-sidr.txt Cheers matthias -- Matthias Waehlisch . Freie Universitaet Berlin, Inst. fuer Informatik, AG CST . Takustr. 9, D-14195 Berlin, Germany .. mailto:waehli...@ieee.org .. http://www.

Re: rpki vs. secure dns?

On 04/27/2012 06:05 PM, Paul Vixie wrote: this seems late, compared to the various commitments made to rpki in recent years. is anybody taking it seriously? first thing that sprung to mind was this: http://www.cafepress.com.au/nxdomain

Re: rpki vs. secure dns?

On Apr 27, 2012 3:05 PM, "Paul Vixie" wrote: > > http://tech.slashdot.org/story/12/04/27/2039237/engineers-ponder-easier-fix-to-internet-problem > > > "The problem: Border Gateway Protocol (BGP) enables routers to > > communicate about the best path to other networks, but routers don't > > verify

rpki vs. secure dns?

http://tech.slashdot.org/story/12/04/27/2039237/engineers-ponder-easier-fix-to-internet-problem > "The problem: Border Gateway Protocol (BGP) enables routers to > communicate about the best path to other networks, but routers don't > verify the route 'announcements.' When routing problems erupt, '