[address-policy-wg] the implications of RPKI certificate revokation
- Previous message (by thread): [address-policy-wg] Re: the implications of RPKI certificate revokation
- Next message (by thread): [address-policy-wg] 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) going to Last Call
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Andrei Robachevsky
andrei.robachevsky at gmail.com
Thu May 5 11:17:56 CEST 2011
Jim Reid wrote on 5/5/11 09:45 : [...] > Personally, I'm not too fussed by this. The bad guys are not likely to > be forming an orderly queue to get their certs from the NCC. And I > think/hope the Dutch courts would take a robust view when governments or > the Scientologists come looking for a court order. But in the final > analysis, I struggle to see how an RPKI cert revocation would be any > different from adding a prefix to the "official" blacklist that ISPs are > encouraged to implement today. > Yes. At the end of the day application of RPKI or BGPsec is a local ISP policy decision. If filtering based on the current RIR registry databases were ubiquitous among the ISPs, these databases would have had the same effect as the RPKI. I doubt application of the RPKI will become ubiquitous in the near future. And if a common local policy is that is just increases the preference of the route, absence of a validatable ROA means that the system falls back to insecure, which is what we have now. But it will still protect (modulo no path protection) against address hijacking. Andrei
- Previous message (by thread): [address-policy-wg] Re: the implications of RPKI certificate revokation
- Next message (by thread): [address-policy-wg] 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) going to Last Call
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]