Re: [Sidr] [OPSEC] pccw as17557 leak...

Stephen Kent <> Thu, 28 February 2008 11:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5F81028C80B; Thu, 28 Feb 2008 03:35:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.017
X-Spam-Status: No, score=-0.017 tagged_above=-999 required=5 tests=[AWL=-0.580, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, HTML_MESSAGE=1, RDNS_NONE=0.1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rlqz6batlhr9; Thu, 28 Feb 2008 03:35:57 -0800 (PST)
Received: from (localhost []) by (Postfix) with ESMTP id B7AFB28C7DA; Thu, 28 Feb 2008 03:35:43 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6C1AB3A6847; Thu, 28 Feb 2008 03:35:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id aR1uWm5mUucH; Thu, 28 Feb 2008 03:35:41 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 14FB028C730; Thu, 28 Feb 2008 03:35:33 -0800 (PST)
Received: from ([] helo=[]) by with esmtp (Exim 4.60) (envelope-from <>) id 1JUh2q-0000CD-4F; Thu, 28 Feb 2008 06:35:25 -0500
Mime-Version: 1.0
Message-Id: <p0624050cc3ebfc54fb15@[]>
In-Reply-To: <>
References: <> <> <> <> <> <> <> <p06240500c3ebd2c48236@> <> <p06240509c3ebe4459c93@> <>
Date: Thu, 28 Feb 2008 06:35:20 -0500
To: Vishwas Manral <>
From: Stephen Kent <>
Cc: Roland Dobbins <>, opsec wg mailing list <>,
Subject: Re: [Sidr] [OPSEC] pccw as17557 leak...
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Secure Interdomain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: multipart/mixed; boundary="===============1993930803=="

At 8:31 PM -0800 2/27/08, Vishwas Manral wrote:
>Hi Stephen,
>The point I raise is that there is a cost associated with this, using
>certificates has a CPU cost associated with it.
>I may be missing the point but even if you leave aside the cost of an
>off line server to do this check but if the checks are done on each
>new prefix we can still overload the off line server. If we do things
>like rate limiting we can still have an attacks, or cause delays in
>the convergence times.

I think you are missing the point. So long as the processing is done 
as an offline operation, not as a gating item in routing, it does not 
strike me as a DoS concern. The initial use of the infrastructure is 
analogous to downloading IRR databases and processing the RPSL 
assertions, an operation many ISPs perform today on a daily basis.

More to the point, folks have implemented the necessary software and 
tested it with about 20K certs and CRLs and 10K ROAs, a reasonable 
starting point. I don't have the precise figures in front of me now, 
but I believe their results show that the time to do all the 
processing (on a laptop) is about 20-30 minutes, and the time is 
dominated by the retrieval of the data from online repositories, not 
by the crypto operations per se. For a once daily, offline 
operations, this seems quite reasonable.

Sidr mailing list