On Nov 30, 2012, at 2:37 PM, Arturo Servin wrote: > > If you only have one cache, and this fails, and you need to restore the > whole repository(ies): then yes. You have a problem. > > But if you have two cache servers, perhaps you would not even notice > while the second one is getting the whole repository(ies). > > But I am not sure if I am following your and Russ rationale.
I'm not talking about the new attack surface elements we're introducing here Arturo, that's an orthogonal second order concern. I'm talking about my inability to assert reachability for new destinations on the Internet (i.e., my infrastructure or DDoS customers prefixes) when attacks occur, without hours or days of downtime on the properties being attacked, until RPKI objects are fetched from every publication point on the Internet, controls are derived, and propagated to every RPKI cache in every operators network, and distributed to some sort of policy engine in routers for validation (and such) for routes in BGP. This is not a worry I have today when responding to these threats, and a serious problem if it exists. The fact that the RPKI itself could be attacked is just gravy. -danny _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
