On 3/20/13 4:41 PM, "Russ White" <[email protected]> wrote: > >> What we probably need need is something that flags that a Certificate >> or a ROA has disappeared in the last X time. Then as operator we could >> take the action to decide if this was an attack or a valid revocation. > >That is probably a good idea... But since the ROAs are time based >themselves, it might be hard to do (?).
? Maybe you mean they are signed by certs that have validity periods? Monitor and log rpki-rtr protocol - look for ROA withdraws. Wireshark module to do that for you is here: http://www-x.antd.nist.gov/bgpsrx/ Given that the kind of transformations that Sharon's work describes might be the desirable actions of an ISP reclaiming resources from an ex-customer, what actions will we take to decide otherwise? Sandy's point that such action might be viewed differently looking up the tree, rather than down. dougm _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
