[RPKI-Discuss] [Community-Discuss] 06 April 2019 RPKI incident - Postmortem report

Alex Band alex at nlnetlabs.nl
Wed Apr 10 19:02:32 UTC 2019

Hi Ben,

> On 10 Apr 2019, at 16:00, Ben Maddison via RPKI-Discuss <rpki-discuss at afrinic.net> wrote:
> That's not entirely true. A partial outage (where for example a single TAL becomes unverifiable, as in this case) may lead to a missing ROA for a prefix that remains covered by other ROAs issued under other TALs.
> Consider ROAs:
> {prefix: 2001:db8::/32, maxLength: 48, asn: 65000, tal: AFRINIC}
> {prefix: 2001:db8:f00::/48, maxLength: 48, asn: 65001, tal: RIPE}
> With the above, a route 2001:db8:f00::/48 via 65000_65001 will have a status Valid.
> If the RIPE TAL fails verification, it will become Invalid.
> This is most certainly a corner case, but is at least theoretically possible given that all RIRs claim 0/0 in their root certs.

Corner case or not, in my opinion it’s a very slippery slope to use such an example. 

The RIRs have put in proper measures to make sure such a scenario doesn’t occur. For example, precisely for this reason the RIPE NCC have a more constrained “RIPE NCC Managed Resources” intermediate certificate in place, from which all Member Certificates are derived.



Alex Band
NLnet Labs

More information about the RPKI-Discuss mailing list