On Sun, Apr 29, 2012 at 11:28:58AM -0400, Jennifer Rexford <jrex@CS.Princeton.EDU> wrote a message of 37 lines which said:
How does this interact with the presence of certificates for supernets, though? That is, suppose an ISP creates a legitimate ROA for 12.0.0.0/8, after ensuring that all of its customers have legitimate ROAs for the various subnets of 12.0.0.0/8. Now, suppose one of these customers has its legitimate ROA revoked by a court order. Would the legitimate announcement of that subnet (originated by the customer's ASN) still result in UNKNOWN status, or would it look like a sub-prefix hijack because the announcement has a different ASN than the matching 12.0.0.0/8 prefix?
The second (and therefore Alex Band's example is not good). But it depends on the value of the MaxLength attribute in the 12.0.0.0/8 ROA (section 3.3 of RFC 6482). If, in the future, RIRs or operators create ROAs for all the blocks they manage, revocation of a ROA will be deadly.
On Sun, 29 Apr 2012, Stephane Bortzmeyer wrote:
How does this interact with the presence of certificates for supernets, though? That is, suppose an ISP creates a legitimate ROA for 12.0.0.0/8, after ensuring that all of its customers have legitimate ROAs for the various subnets of 12.0.0.0/8. Now, suppose one of these customers has its legitimate ROA revoked by a court order. Would the legitimate announcement of that subnet (originated by the customer's ASN) still result in UNKNOWN status, or would it look like a sub-prefix hijack because the announcement has a different ASN than the matching 12.0.0.0/8 prefix?
The second (and therefore Alex Band's example is not good). But it depends on the value of the MaxLength attribute in the 12.0.0.0/8 ROA (section 3.3 of RFC 6482).
unclear as the scenario doesn't depend on the maxLength (wrt the current specs). If there are valid covering ROAs in the RPKI and none of them match in the origin AS (customer ROA removed), the route prefix is invalid. The scenario is similar to the case in which the ISP starts to create a ROA for a superblock before the customer adds its route prefix into the RPKI ... this happened with AT&T during testing, for example, https://labs.ripe.net/Members/waehlisch/one-day-in-the-life-of-rpki Cheers matthias -- Matthias Waehlisch . Freie Universitaet Berlin, Inst. fuer Informatik, AG CST . Takustr. 9, D-14195 Berlin, Germany .. mailto:waehlisch@ieee.org .. http://www.inf.fu-berlin.de/~waehl :. Also: http://inet.cpt.haw-hamburg.de .. http://www.link-lab.net
participants (2)
-
Matthias Waehlisch
-
Stephane Bortzmeyer