[lacnog] Bogon route objects in the LACNIC IRR

Rubens Kuhl rubensk en gmail.com
Mie Ago 18 13:18:24 -03 2021


> >The very same capability that permits this handful of CAs to
> >'misconfigure' their RPKI ROAs (keep in mind their ability to shoot
> >themselves in the foot is restricted merely to their own IP space!), is
> >also what enables the other 2,940 Certificate Authorities to provide
> >authorization to service ISPs both inside and outside the LACNIC region,
> >Legacy ASN or not, past and future.
>
> So, we are designing *deliberately* insecure systems, procedures and
> mechanisms specifically for the benefit of profit-making Certificate
> Authorities who also are... for no very well specified reasons... either
> unable or unwilling to interogate the daily RIR stats files to see what
> is a bogon ASN and what isn't??  Is that really what you are saying?

There is no connection whatsoever between RPKI and commercial CAs. The
only trust anchors in the routing system that routing operators
actually configure are the RIR ones.
I've never seen a certificate saying "10.0.0.0/8" from DigiCert,
Comodo etc. And if they issue such, nobody would trust such a cert
anyways.

Rubens


Más información sobre la lista de distribución LACNOG