[address-policy-wg] the implications of RPKI certificate revokation

Jim Reid wrote on 5/5/11 09:45 :
[...]
> Personally, I'm not too fussed by this. The bad guys are not likely to
> be forming an orderly queue to get their certs from the NCC. And I
> think/hope the Dutch courts would take a robust view when governments or
> the Scientologists come looking for a court order. But in the final
> analysis, I struggle to see how an RPKI cert revocation would be any
> different from adding a prefix to the "official" blacklist that ISPs are
> encouraged to implement today.
> 

Yes. At the end of the day application of RPKI or BGPsec is a local ISP
policy decision. If filtering based on the current RIR registry
databases were ubiquitous among the ISPs, these databases would have had
the same effect as the RPKI.

I doubt application of the RPKI will become ubiquitous in the near
future. And if a common local policy is that is just increases the
preference of the route, absence of a validatable ROA means that the
system falls back to insecure, which is what we have now. But it will
still protect (modulo no path protection) against address hijacking.

Andrei