Hi,
I'm thinking about another potential DoS attack. An entity which owns a
CA certificate has the possibility to generate a huge hierarchy of
further CA certificates without any limitation (as far as I know).
In contrast to the generation of a huge amount of ROAs, this attack
isn't limited regarding the number of objects/certificates.
I.e. a compromised/bad entity owns a /16 prefix and generates 10000 CA
certificates and hand down this prefix until the lowest CA certificate
and generates 2^8 ROAs, a relying party software would be forced to
check this hierarchy 2^8 times.
Of course, this is kind of a blunt attack but without making any
provisions, this "local cache flooding" could lead to a disturbance of
all (worst case) local caches for a certain time. Some smaller RP could
be slower in remedying this.
Are there any restriction to this attack I've missed? Any feedback is
very welcome!
Kind regards
Demian
_______________________________________________
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr
