Theodoros Fyllaridis - 2024-10-28 14:00:39
Hi everyone, I'm Theodoros Fyllaridis from the RIPE NCC. This chat panel is meant for discussion ONLY. If you have questions for the speaker and you want the session chair to read them out, please write it in the Q&A window also stating your affiliation. Otherwise, you can ask questions using the microphone icon.
Please note that all chat transcripts will be archived and made available to the public at https://ripe89.ripe.net/.
The RIPE Code of Conduct: https://www.ripe.net/publications/docs/ripe-766/.
Geoff Huston - 2024-10-28 14:38:10
Hi
Brian Nisbet - 2024-10-28 14:39:21
👋
Andrew Campling - 2024-10-28 14:40:29
Get well soon Geoff
Sebastian Jürges - 2024-10-28 14:40:45
Security is resisted because it has little business value, only high strategic value, and those things rarely get assigned priority in practical operations.
Sebastian Jürges - 2024-10-28 14:41:06
Which is, well, bad.
Geoff Huston - 2024-10-28 14:41:30
Thanks Andrew - Fractured ribs take some time to mend - unfortunately!
Andrew Campling - 2024-10-28 14:41:41
Ouch!
Sebastian Jürges - 2024-10-28 14:42:25
The costs associated with security failures are hard to calculate and too low.
Petra Zeidler - 2024-10-28 14:48:24
MBAs are trained to calculate the price of doing something and usually aren't to calculate the cost of not doing something
Sebastian Jürges - 2024-10-28 14:48:52
^ this
Jan Žorž - 2024-10-28 14:49:04
exactly
Randy Bush - 2024-10-28 14:49:13
ROV is a poort security mechanism. It is also a poor floor wax. Luckily it was designed to be neither. Do note that you do not read daily of global propagation of someone fat fingering a prefix.
Geoff Huston - 2024-10-28 14:49:39
The problem with security is that you can only sign what's "good" so to figure out what's bad it helps if EVERYTHING good is signed. If only sime things are signed we are no better off
Sebastian Jürges - 2024-10-28 14:50:42
"everything is shit until proven otherwise" only works if it's easy to identify "good"
Geoff Huston - 2024-10-28 14:51:13
yup - that's what I said
Sebastian Jürges - 2024-10-28 14:51:56
Jup :) sorry, mobile Client didn't scroll :)
Shane Kerr - 2024-10-28 14:53:31
If I get my TLS certificate from Let's Encrypt which relies on the routing table to be secure then isn't that a problem?
Geoff Huston - 2024-10-28 14:54:47
TLS is not perfect by any means - its actually pretty shonky, but its what we use.
Sebastian Jürges - 2024-10-28 14:55:29
There is a fallacy with "let's rely on TLS" ... TLS can detect attacks, but not mitigate. Secure Infrastructure can to some degree mitigate (some) attack vectors.
Sebastian Jürges - 2024-10-28 14:55:43
BOTH is what we want, IMHO
Geoff Huston - 2024-10-28 14:56:25
It can, but who is going to pay to have it? Whaty we would _like_ to see and what we are prepared to P_pay_ to see are, unfortunately, two different things!
Sebastian Jürges - 2024-10-28 14:57:20
So it's our job to PUSH, isn't it. For the good of all.
Geoff Huston - 2024-10-28 14:57:59
trying to persuade other people to spend their money on what you want is always a challenge!
Petra Zeidler - 2024-10-28 14:58:52
I have DNSSEC deployed and the current added benefit is SSHFP and DANE
Randy Bush - 2024-10-28 14:59:06
can we learn from looking at why dnssec has not deployed but ROV has?
Shane Kerr - 2024-10-28 15:00:40
Because ROV come through RIR and DNSSEC through domain registries? ;-)
Sebastian Jürges - 2024-10-28 15:01:38
DNS has a large "grey area" of people doing "stupid things" in their internal DNS views, that breaks when deploying dnssec to some point. Huge problem.
Niall O'Reilly - 2024-10-28 15:03:00
I suspect that adoption of TLS for services other than the Web is lower. I'm thinking in particular of email.
Andrew Campling - 2024-10-28 15:09:55
Relying exclusively on app-based security seems likely to make it much easier for attackers. Especially when some apps seem to conflate security and privacy, and anyway prioritise performance.
Shane Kerr - 2024-10-28 15:14:17
Are the computers of ComCom ComComComps?
Shane Kerr - 2024-10-28 15:14:38
Communications from ComCo must be through ComCoComms.
Elmar K. Bins - 2024-10-28 15:29:09
You should definitely check with a Czech
Elmar K. Bins - 2024-10-28 15:29:55
Btw, I find it impressive that Comco actually won this and SC now has to build back... which they will probably do their best to delay... and blame everything on the competition...
Theodoros Fyllaridis - 2024-10-28 15:37:22
This session has now ended. The next session is the Plenary and it will start at 16:00. More info on the RIPE 89 meeting plan: https://ripe89.ripe.net/programme/meeting-plan/
Greg Choules - 2024-10-28 15:38:54
Can the A/V people please look into the fuzzy screen problem? It looks like the left hand side doesn't quite register with the right. Or the resolution is less.
