Re: rpki vs. secure dns?

Rubens Kuhl (rubensk) writes: > > In case you feel a BGP announcement should not be "RPKI Invalid" but > > something else, you do what's described on slide 15-17: > > > > https://ripe64.ripe.net/presentations/77-RIPE64-Plenery-RPKI.pdf > > The same currently happens with DNSSEC, doing what Comcas

Re: rpki vs. secure dns?

> In case you feel a BGP announcement should not be "RPKI Invalid" but > something else, you do what's described on slide 15-17: > > https://ripe64.ripe.net/presentations/77-RIPE64-Plenery-RPKI.pdf The same currently happens with DNSSEC, doing what Comcast calls "negative trust anchors": http://t

Re: rpki vs. secure dns?

On 28 Apr 2012, at 19:45, Nick Hilliard wrote: > On 28/04/2012 18:27, Phil Regnauld wrote: >> To me that seems like the most obvious problem, but as Alex put it, >> "Everyone has the ability to apply an override on data they do not >> trust, >> or have a specific local policy for.

Re: rpki vs. secure dns?

On 28/04/2012 18:27, Phil Regnauld wrote: > To me that seems like the most obvious problem, but as Alex put it, > "Everyone has the ability to apply an override on data they do not > trust, > or have a specific local policy for." So what do you suggest to do with a roa lookup wh

Re: rpki vs. secure dns?

Nick Hilliard (nick) writes: > > Leaving aside technical matters, this is one of the more contentious > political issues with RPKI. RPKI is a tool which can be used to locally > influence routing decisions, but allows centralised control of prefix > authenticity. If this central point is influen

Re: rpki vs. secure dns?

On 28/04/2012 14:04, Alex Band wrote: > they do not trust, or have a specific local policy for. In the toolsets > for using the RPKI data set for routing decisions, such as the RIPE NCC > RPKI Validator, every possible step is taken is taken to ensure that the > operator is in the driver's seat. L

Re: rpki vs. secure dns?

* Alex Band: > At RIPE 63, six months ago, the RIPE NCC membership got a chance to > vote on RPKI at the general meeting. The result was that the RIPE > NCC has the green light to continue offering the Resource > Certification service, including all BGP Origin Validation related > functionality.

Re: Need spamcop/ironport security contact

Hello, On Sat, Apr 28, 2012 at 3:29 AM, Mike wrote: > >        I have a security incident to report and need to make contact with a > senior level contact responsible for spamcop/ironport immediately. > Although I'm pretty sure the OP will have got in touch with someone by now, for reference for

Re: rpki vs. secure dns?

> first thing that sprung to mind was this: > http://www.cafepress.com.au/nxdomain geoff wore one at ripe64. i was soo green with envy that he has graciously sent one to meet me when i get home from travails. see http://archive.psg.com/001213.ietf-dns.pdf for my comments on the subject at an

Re: rpki vs. secure dns?

[ sorry cameron, trying to keep things down to one message ] > http://tech.slashdot.org/story/12/04/27/2039237/engineers-ponder-easier-fix-to-internet-problem > http://www.itworld.com/security/272320/engineers-ponder-easier-fix-dangerous-internet-problem and don't miss http://www.theregister.co.

Re: Need spamcop/ironport security contact

On Sat, Apr 28, 2012 at 6:49 PM, Stephane Bortzmeyer wrote: >> And you need a *senior* level contact, why? > > He probably meant "someone who has seen an IP address before", not > level1-support. spamcop being largely volunteer run has people on it that have a few years more spam filtering experi

Re: rpki vs. secure dns?

On Sat, Apr 28, 2012 at 01:17:10PM +0300, Saku Ytti wrote a message of 27 lines which said: > I think ROVER is better solution, doesn't need any changes to BGP > just little software magic when accepting routes. I like Rover but RPKI+ROA does not change BGP either (it will be a different stor

Re: Need spamcop/ironport security contact

On Fri, Apr 27, 2012 at 11:41:57PM -0400, valdis.kletni...@vt.edu wrote a message of 33 lines which said: > > I have a security incident to report and need to make contact with > > a senior level contact responsible for spamcop/ironport > > immediately. > > And you need a *senior* level conta

Re: rpki vs. secure dns?

On 28 Apr 2012, at 14:57, Stephane Bortzmeyer wrote: > On Sat, Apr 28, 2012 at 12:34:52PM +0200, > Alex Band wrote > a message of 41 lines which said: > >> In reality, since the RIRs launched an RPKI production service on 1 >> Jan 2011, adoption has been incredibly good (for example compared t

Re: New IETF I-D: Security Implications of IPv6 on IPv4 networks

FYI, I posted a rev of this I-D a couple of days ago, and hence the previous document was automatically removed (thus resulting in a broken link). The latest version of this document is always available at the magic URL:

Re: rpki vs. secure dns?

At RIPE 63, six months ago, the RIPE NCC membership got a chance to vote on RPKI at the general meeting. The result was that the RIPE NCC has the green light to continue offering the Resource Certification service, including all BGP Origin Validation related functionality. It's correct that conc

Re: Vendor IPv6 RA Guard Support

On 04/28/2012 09:11 AM, Christopher J. Pilkington wrote: > Does there exist a multi-vendor list showing whether a particular > switch hardware/software supports or does not support RA Guard? Last time (a couple of months ago, or so) this was discussed on the ipv6hackers mailing-list (http://lists.

Re: rpki vs. secure dns?

On Sat, Apr 28, 2012 at 12:34:52PM +0200, Alex Band wrote a message of 41 lines which said: > In reality, since the RIRs launched an RPKI production service on 1 > Jan 2011, adoption has been incredibly good (for example compared to > IPv6 and DNSSEC). More than 1500 ISPs and large organizatio

Re: Vendor IPv6 RA Guard Support

That would be kind of interesting. I do not know any promoted "RA guard" function that defends against http://thc.org/thc-ipv6/ ,yet. Perhaps the guys from http://tools.ietf.org/wg/savi/ do know more about specific switch vendors.

Vendor IPv6 RA Guard Support

Does there exist a multi-vendor list showing whether a particular switch hardware/software supports or does not support RA Guard? -cjp

Re: rpki vs. secure dns?

On Sat, Apr 28, 2012 at 03:04:07AM -0700, Randy Bush wrote a message of 9 lines which said: > draft-bates-bgp4-nlri-orig-verif-00.txt was '98 > > and we dropped it for good reasons Unfortunately, we have RFCs for good ideas but bad ideas never get documented by the IETF (one of the few excep

Re: Operation Ghost Click

On Thu, Apr 26, 2012 at 10:03:44PM -0400, Jeff Kell wrote: > And what about the millions of users unknowingly infected with > "something else" ?? s/millions/hundreds of millions/ We passed the 100M zombie/bot mark years ago and nothing has happened in the interim that should/would cause the trend

Re: rpki vs. secure dns?

* Alex Band: >> I don't know if we can get RPKI to deployment because RIPE and RIPE >> NCC have rather serious issues with it. On the other hand, there >> doesn't seem to be anything else which keeps RIRs relevant in the >> post-scarcity world, so we'll see what happens. > > Could you elaborate o

Re: rpki vs. secure dns?

On 28 Apr 2012, at 11:56, Florian Weimer wrote: > * Paul Vixie: > >> this seems late, compared to the various commitments made to rpki in >> recent years. is anybody taking it seriously? > > The idea as such isn't new, this has been floating around for four > years or more, including at least o

Re: rpki vs. secure dns?

On (2012-04-27 22:05 +), Paul Vixie wrote: > this seems late, compared to the various commitments made to rpki in > recent years. is anybody taking it seriously? (disclaimer I'm almost completely clueless on RPKI). If two fails don't make win, then I think ROVER is better solution, doesn't n

Re: rpki vs. secure dns?

> The idea as such isn't new, this has been floating around for four > years or more, including at least one Internet draft, > draft-donnerhacke-sidr-bgp-verification-dnssec. draft-bates-bgp4-nlri-orig-verif-00.txt was '98 and we dropped it for good reasons randy

Re: Operation Ghost Click

* Jeff Kell: > And what about the millions of users unknowingly infected with > "something else" ?? You have to start somewhere. I received a warning letter, and four or five very organizations had to cooperate in new ways to make this happen. This is certainly a welcome development, and hopefu

Re: rpki vs. secure dns?

* Paul Vixie: > this seems late, compared to the various commitments made to rpki in > recent years. is anybody taking it seriously? The idea as such isn't new, this has been floating around for four years or more, including at least one Internet draft, draft-donnerhacke-sidr-bgp-verification-dns

Re: rpki vs. secure dns?

line 408 ff. in the IETF 83 SIDR minutes * http://www.ietf.org/proceedings/83/minutes/minutes-83-sidr.txt Cheers matthias -- Matthias Waehlisch . Freie Universitaet Berlin, Inst. fuer Informatik, AG CST . Takustr. 9, D-14195 Berlin, Germany .. mailto:waehli...@ieee.org .. http://www.

Re: JUNOS forwards IPv6 link-local packets

We kind of needed them in IPv4, though not universally. At least in IPv6, we have them. Owen On Apr 27, 2012, at 12:16 PM, Christopher Morrow wrote: > you know what I love? address selection rules, or rather the fact that > we have to have them in this new ip protocol :( > > bugs and code prob

Re: Squeezing IPs out of ARIN

On Tue, Apr 24, 2012 at 01:32:17PM -0400, ad...@thecpaneladmin.com wrote: > Anyone have any tips for getting IPs from ARIN? For an end-user > allocation they are requesting that we provide customer names for > existing allocations, which is information that will take a while to > obtain. They ar