Jim Reid wrote on 5/5/11 09:45 : [...]
Personally, I'm not too fussed by this. The bad guys are not likely to be forming an orderly queue to get their certs from the NCC. And I think/hope the Dutch courts would take a robust view when governments or the Scientologists come looking for a court order. But in the final analysis, I struggle to see how an RPKI cert revocation would be any different from adding a prefix to the "official" blacklist that ISPs are encouraged to implement today.
Yes. At the end of the day application of RPKI or BGPsec is a local ISP policy decision. If filtering based on the current RIR registry databases were ubiquitous among the ISPs, these databases would have had the same effect as the RPKI. I doubt application of the RPKI will become ubiquitous in the near future. And if a common local policy is that is just increases the preference of the route, absence of a validatable ROA means that the system falls back to insecure, which is what we have now. But it will still protect (modulo no path protection) against address hijacking. Andrei