This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/routing-wg@ripe.net/
[routing-wg] Publish in Parent - input requested
- Previous message (by thread): [routing-wg] Publish in Parent - input requested
- Next message (by thread): [routing-wg] Publish in Parent - input requested
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Randy Bush
randy at psg.com
Tue Oct 4 00:06:29 CEST 2022
a friend has asked me about the possibility of DoS of a CA pushing random dren to a publication point; e.g. rsc signed kernel binaries, etc. obviously, it would have been unwise for the 8181 publication protocol to enumerate the allowed objects, or it would need to be updated every time the ietf sausage machine defined a new object (router key, aspa, etc.) but 8181 does provide for error handling. it seems obvious that a publisher reject a request to publish an object other than a formally correct rpki object. e.g. it should not accept the kernel blob. interesting, we do not have a document enumerating formal rpki signed objects. https://www.iana.org/assignments/rpki/rpki.xhtml#signed-objects is missing a few, e.g. certificates, crls. i have taken this up with the powers that be. randy
- Previous message (by thread): [routing-wg] Publish in Parent - input requested
- Next message (by thread): [routing-wg] Publish in Parent - input requested
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]