This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[routing-wg] AS201640
- Previous message (by thread): [routing-wg] access control in other regions' IRR DB [was: Re: AS201640]
- Next message (by thread): [routing-wg] discussion about rogue database objects
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
George Michaelson
ggm at apnic.net
Sun Nov 9 21:13:51 CET 2014
I think there are two qualities to the problem 1) what kind of authentication takes place to admit out-of-region data into a system which demands self-referential integrity and can't be made to do cross-system references 2) what time limits do we place on the data to require re-validation, so that it doesn't last forever and go stale. Designing this demands both sender and receiver agree. The prior art, RPSS and RPS-Auth did not achieve agreement both sides: we didn't all agree to run a single cohesive framework. RPKI (noting Sanders concerns it scares some people) has the huge benefit: all the RIR are doing it, and all the RIR respect each others root/signing trust chains. And, as I said before, it has time limits built in: signed objects have a lifetime by definition. Do nothing, and data ages out at some point. Thats why I like it: its commonly implemented, and it behaves the ways we need, for this function. -G On 9 November 2014 11:59, Gert Doering <gert at space.net> wrote: > Hi, > > On Sun, Nov 09, 2014 at 11:48:36AM -0800, Ronald F. Guilmette wrote: > > P.S. I'm still a bit befuddled by what happened in this case. Would it > > be a fair characterization to say that what AS201640 has done in this > > case is to exploit a kind of loophole which is uniquely present only > > when the hijacker/squatter AS is registered in one RiR and the IP blocks > > that are being hijacked/squatted are registered in a different RiR? > > Yes. > > > Also, could this scenario have been replicated if the origin AS had > > been registered in/by ARIN, APNIC, LACNIC, or AFRINIC, rather than > > RIPE? > > I'm not sure how the access control in other regions' IRR DBs work - but > at least ARIN's database is based on RIPE code, so "it might be". > > > If so, then a proper sort of fix will necessarily involve all > > five RiRs, no? > > Correct. George Michaelson is from APNIC, so "they are aware", and I'm > fairly sure the other RIRs are being informed. > > Gert Doering > -- NetMaster > -- > have you enabled IPv6 on something today...? > > SpaceNet AG Vorstand: Sebastian v. Bomhard > Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann > D-80807 Muenchen HRB: 136055 (AG Muenchen) > Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 > -------------- next part -------------- An HTML attachment was scrubbed... URL: </ripe/mail/archives/routing-wg/attachments/20141109/9a87606b/attachment.html>
- Previous message (by thread): [routing-wg] access control in other regions' IRR DB [was: Re: AS201640]
- Next message (by thread): [routing-wg] discussion about rogue database objects
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]