On Jan 23, 2014, at 7:46 AM, Demian Rosenkranz <[email protected]> wrote:
> Hi, > > I'm thinking about another potential DoS attack. An entity which owns a CA > certificate has the possibility to generate a huge hierarchy of further CA > certificates without any limitation (as far as I know). > > In contrast to the generation of a huge amount of ROAs, this attack isn't > limited regarding the number of objects/certificates. > > I.e. a compromised/bad entity owns a /16 prefix and generates 10000 CA > certificates and hand down this prefix until the lowest CA certificate and > generates 2^8 ROAs, a relying party software would be forced to check this > hierarchy 2^8 times. > Of course, this is kind of a blunt attack but without making any provisions, > this "local cache flooding" could lead to a disturbance of all (worst case) > local caches for a certain time. Some smaller RP could be slower in remedying > this. > > Are there any restriction to this attack I've missed? Any feedback is very > welcome! We certainly see this scale of prefix registration within the IRR dataset. (Folks registering each variant of the entire covering prefix of a /16 for example). I imagine the same would be done with the same rationale by someone well intentioned. - Jared _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
