[routing-wg] AS201640
- Previous message (by thread): [routing-wg] access control in other regions' IRR DB [was: Re: AS201640]
- Next message (by thread): [routing-wg] discussion about rogue database objects
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
George Michaelson
ggm at apnic.net
Sun Nov 9 21:13:51 CET 2014
I think there are two qualities to the problem 1) what kind of authentication takes place to admit out-of-region data into a system which demands self-referential integrity and can't be made to do cross-system references 2) what time limits do we place on the data to require re-validation, so that it doesn't last forever and go stale. Designing this demands both sender and receiver agree. The prior art, RPSS and RPS-Auth did not achieve agreement both sides: we didn't all agree to run a single cohesive framework. RPKI (noting Sanders concerns it scares some people) has the huge benefit: all the RIR are doing it, and all the RIR respect each others root/signing trust chains. And, as I said before, it has time limits built in: signed objects have a lifetime by definition. Do nothing, and data ages out at some point. Thats why I like it: its commonly implemented, and it behaves the ways we need, for this function. -G On 9 November 2014 11:59, Gert Doering <gert at space.net> wrote: > Hi, > > On Sun, Nov 09, 2014 at 11:48:36AM -0800, Ronald F. Guilmette wrote: > > P.S. I'm still a bit befuddled by what happened in this case. Would it > > be a fair characterization to say that what AS201640 has done in this > > case is to exploit a kind of loophole which is uniquely present only > > when the hijacker/squatter AS is registered in one RiR and the IP blocks > > that are being hijacked/squatted are registered in a different RiR? > > Yes. > > > Also, could this scenario have been replicated if the origin AS had > > been registered in/by ARIN, APNIC, LACNIC, or AFRINIC, rather than > > RIPE? > > I'm not sure how the access control in other regions' IRR DBs work - but > at least ARIN's database is based on RIPE code, so "it might be". > > > If so, then a proper sort of fix will necessarily involve all > > five RiRs, no? > > Correct. George Michaelson is from APNIC, so "they are aware", and I'm > fairly sure the other RIRs are being informed. > > Gert Doering > -- NetMaster > -- > have you enabled IPv6 on something today...? > > SpaceNet AG Vorstand: Sebastian v. Bomhard > Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann > D-80807 Muenchen HRB: 136055 (AG Muenchen) > Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 > -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.ripe.net/ripe/mail/archives/routing-wg/attachments/20141109/9a87606b/attachment.html>
- Previous message (by thread): [routing-wg] access control in other regions' IRR DB [was: Re: AS201640]
- Next message (by thread): [routing-wg] discussion about rogue database objects
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]