This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/routing-wg@ripe.net/
[routing-wg] 2019-08 Review Phase (RPKI ROAs for Unallocated and Unassigned RIPE NCC Address Space)
- Previous message (by thread): [routing-wg] 2019-08 Review Phase (RPKI ROAs for Unallocated and Unassigned RIPE NCC Address Space)
- Next message (by thread): [routing-wg] 2019-08 Review Phase (RPKI ROAs for Unallocated and Unassigned RIPE NCC Address Space)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Robert Kisteleki
robert at ripe.net
Wed Mar 4 10:49:11 CET 2020
> If I got feedback in my community they don't feel this needs HSM > backing, I can avoid the problem. That sounds logical. It leads me to the question: what's the threat model for protecting the "RIR AS0 key"? In other words what happens if an attacker can sign stuff (CAs, ROAs, ...) of their choosing with it [1]? Depending on the severity of scenarios in the answer [2], the use of HSM for the TA may or may not make a difference. Robert [1] note that in order to "sign stuff of their choosing" does not mean they need to get the key (which is of course harder when using an HSM). They only need to convince the system to sign the attacker's blobs, which is a very different problem. [2] random ideas: * does the AS0 TA cover 0/0 or only the unallocated space? * If someone makes a non-AS0 ROA under this TA, how does that interact with a ROA from under a different TA? * does this whole thing matter if some address space (ie. from other RIRs) is not covered by an AS0 TA anyway?
- Previous message (by thread): [routing-wg] 2019-08 Review Phase (RPKI ROAs for Unallocated and Unassigned RIPE NCC Address Space)
- Next message (by thread): [routing-wg] 2019-08 Review Phase (RPKI ROAs for Unallocated and Unassigned RIPE NCC Address Space)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]