On Mar 20, 2013, at 6:50 AM, Danny McPherson <da...@tcb.net> wrote: > Interesting presentation here: > > http://www.cs.bu.edu/~goldbe/papers/Cooper_RPKI_BFOC.pdf > > "The RPKI (Resource Public Key Infrastructure) is a new infrastructure to > secure Internet routing > It’s been in deployment since ~2011 But, it also creates new risks > (misconfigurations and takedowns) > that could make IP prefixes unreachable" > > Given we've been concerned (and vocal) about this from an operational > perspective since RPKI's proposed "tight coupling" into BGPSEC discussions > many years ago...
So, I'm a little confused... (wouldn't be the first time :-) The presentation states "Importantly, RPKI validity must impact routing decisions.", which I guess we have to take as a truism if RPKI is to have any effect at all on routing security. It then goes on to equate cert revocation (and resulting loss of a ROA) with an impact to reachability. I don't understand how they conclude that loss of a ROA would be a reachability impacting event (on its own), since any party using routing policy as outlined in <draft-ietf-sidr-origin-ops-20> is almost certainly going to end up using an announcement which is now NotFound origin instead... Danny - Is there really a "tight coupling" if providers are following the recommend BGP origin validation best practices? /John _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr