<disclaimer: i haven't read the paper in full, i've started and so far it seems more solid than the slide deck>
I agree with John's observations. We need to stop making the statement "no roa == no route", because it's simply not true. So far in my reading of the full paper, many of the 'vulnerabilities' they mention (quotes intended, I'm not sure the word is properly applied given the context) appear to (1) depend of how RPs handle the 'Unknown' validity state, and, more deeply, (2) to the very nature of the tree-based model of trust. For (1), I believe that we're still a long way from dropping unknowns, and we're definitely going to 'build the road as we go' (paraphrasing a very well known Chilean poet). Additional work might be needed in this area. For (2), I share the misgivings, but, do we have anything better ? Should we stop using tree-based models of trust until we do? I don't think so. Until now, this has worked reasonably well. Given the sheer amount of certification authorities out there, the fiascos like Digi Notar have not been that many. In the case of the RPKI we are talking about a more restricted universe that can be audited more easily and into which other safeguards could be built. cheers! ~Carlos On 3/20/13 10:17 AM, John Curran wrote: > On Mar 20, 2013, at 6:50 AM, Danny McPherson <da...@tcb.net> wrote: > >> Interesting presentation here: >> >> http://www.cs.bu.edu/~goldbe/papers/Cooper_RPKI_BFOC.pdf >> >> "The RPKI (Resource Public Key Infrastructure) is a new infrastructure to >> secure Internet routing >> It’s been in deployment since ~2011 But, it also creates new risks >> (misconfigurations and takedowns) >> that could make IP prefixes unreachable" >> >> Given we've been concerned (and vocal) about this from an operational >> perspective since RPKI's proposed "tight coupling" into BGPSEC discussions >> many years ago... > > So, I'm a little confused... (wouldn't be the first time :-) > > The presentation states "Importantly, RPKI validity must impact routing > decisions.", which I guess we have to take as a truism if RPKI is to have > any effect at all on routing security. It then goes on to equate cert > revocation (and resulting loss of a ROA) with an impact to reachability. > > I don't understand how they conclude that loss of a ROA would be a > reachability impacting event (on its own), since any party using > routing policy as outlined in <draft-ietf-sidr-origin-ops-20> is > almost certainly going to end up using an announcement which is > now NotFound origin instead... > > Danny - Is there really a "tight coupling" if providers are > following the recommend BGP origin validation best practices? > > /John > > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr > _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
