> Thus, removing a certificate or ROA *does NOT* result in an RPKI INVALID > route announcement; the result is RPKI UNKNOWN.
Which is fine until UNKNOWNs are no longer permitted, a logical next step. It may not apply globally, initially perhaps just a US anti terrorist measure requiring all networks in the USA do it. > The only way a court order could make a route announcement get the > RPKI status *INVALID* would be to: > 1: Remove the original, legitimate ROA > 2: Tamper with the Registry, inject a false ROA authorizing another > AS to make the announcement look like a hijack Domains already get FBI hijacked so this seems plausible too. > All in all, for an RPKI-specific court order to be effective in > taking a network offline, the RIR would have to tamper with the > registry, inject false data and try to make sure it's not detected so > nobody applies a local override. Doesn't need to be undetected, more likely it'll be quite overt and have a big don't mess FBI entry in the RIR similar to www.megaupload.com brandon
