> On 21 Apr 2020, at 11:09, Baldur Norddahl <baldur.nordd...@gmail.com> wrote: > > > > On 21.04.2020 10.56, Sander Steffann wrote: >> Hi, >> >>> Removing a resource from the certificate to achieve the goal you describe >>> will make the route announcement NotFound, which means it will be accepted. >>> Evil RIR would have to replace an existing ROA with one that explicitly >>> makes a route invalid, i.e. issue an AS0 ROA for specific member prefix. >>> This seems like a pretty convoluted way to try and take a network offline. >> I've seen worse… >> Sander >> > > As long Good RIR continues to publish a valid ROA for the real ASN that evil > AS0 ROA would have no effect?
Correct. Should this really be a concern, then you can run Delegated RPKI. In that case the RIR can’t tamper with your ROA because it’s not on their systems. Evil RIR could only revoke a prefix from your certificate or your entire certificate, but again, your BGP announcements would fall back to NotFound and would be accepted. -Alex
