On 20/03/2013 20:00, Borchert, Oliver wrote:
>> On 20/03/2013 17:41, Russ White wrote:
>>>
>>>> What we probably need need is something that flags that a
>>>> Certificate or a ROA has disappeared in the last X time. Then as
>>>> operator we could take the action to decide if this was an attack or a
>>>> valid
>> revocation.
>>>
>>> That is probably a good idea... But since the ROAs are time based
>>> themselves, it might be hard to do (?).
>>>
>>> :-)
>>
>> Not sure if it is so hard.
>>
>> If the ROA expires because of the date is not longer valid, then there
>> is normal and a high probability that there is no attack.
>>
>> Only, if the ROA is valid in the previous state and in the current is
>> revoked or missing, then you will alert.
>>
>>>
>>> Russ
>>>
>>
>> /as
>
> But what does the alert tell me?
> What if one is multi homed, uses two ROAs then switches to be single homed
> and revokes the second ROA. In this case the owner revoked the ROA and this
> is not an attack - here the alert is not of help at all!
>
> Oliver
That is the problem. It is almost impossible to know when a ROA is
revoked legally or by accident/attack. This would only be a mechanism to
alert when something changes, then you to decide as operator what to do.
But most probably you will end up ignoring all the alerts unless there
is a big fuss about it.
/as
>
> _______________________________________________
> sidr mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/sidr
>
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
