[RPKI-Discuss] [Community-Discuss] 06 April 2019 RPKI incident - Postmortem report
Alex Band
alex at nlnetlabs.nl
Wed Apr 10 19:02:32 UTC 2019
Hi Ben,
> On 10 Apr 2019, at 16:00, Ben Maddison via RPKI-Discuss <rpki-discuss at afrinic.net> wrote:
>
> That's not entirely true. A partial outage (where for example a single TAL becomes unverifiable, as in this case) may lead to a missing ROA for a prefix that remains covered by other ROAs issued under other TALs.
>
> Consider ROAs:
> {prefix: 2001:db8::/32, maxLength: 48, asn: 65000, tal: AFRINIC}
> {prefix: 2001:db8:f00::/48, maxLength: 48, asn: 65001, tal: RIPE}
>
> With the above, a route 2001:db8:f00::/48 via 65000_65001 will have a status Valid.
> If the RIPE TAL fails verification, it will become Invalid.
>
> This is most certainly a corner case, but is at least theoretically possible given that all RIRs claim 0/0 in their root certs.
Corner case or not, in my opinion it’s a very slippery slope to use such an example.
The RIRs have put in proper measures to make sure such a scenario doesn’t occur. For example, precisely for this reason the RIPE NCC have a more constrained “RIPE NCC Managed Resources” intermediate certificate in place, from which all Member Certificates are derived.
https://www.ripe.net/manage-ips-and-asns/resource-management/certification/ripe-ncc-rpki-trust-anchor-structure
Cheers
Alex Band
NLnet Labs
nlnetlabs.nl/rpki
More information about the RPKI-Discuss
mailing list