nanog mailing list archives
Re: Reaching out to ARIN members about their RPKI INVALID prefixes
From: Job Snijders <job () ntt net>
Date: Tue, 18 Sep 2018 17:35:42 +0000
Owen, On Tue, Sep 18, 2018 at 10:23:42AM -0700, Owen DeLong wrote:
Personally, since all RPKI accomplishes is providing a cryptographically signed notation of origin ASNs that hijackers should prepend to their announcements in order to create an aura of credibility, I think we should stop throwing resources down this rathole.
1/ You may be overlooking the fact that many networks peer directly with what (for them) are the important sources/destinations. The semantics of RPKI ROAs help block illegitimate more-specifics, and the short AS_PATH between players prevents a hijacker from inserting themself. In other words - the most important AS_PATHs are 1 hop. The Internet's dense interconnectedness is saving its bacon. 2/ Another approach to achieve path validation for 1 hop is through mechanisms such what NTT calls 'peerlock'. https://www.youtube.com/watch?v=CSLpWBrHy10 3/ Lastly, some folks are innovating in this space to help automate concepts such as peerlock through what is called ASPA. ASPA is intended as an out-of-band, deployable alternative to BGPSec. https://tools.ietf.org/html/draft-azimov-sidrops-aspa-profile https://tools.ietf.org/html/draft-azimov-sidrops-aspa-verification I think you underestimate how valuable RPKI based Origin Validation (even just by itself) is in today's Internet landscape. If you are aware of other efforts or more fruitful approaches please let us know. Kind regards, Job
Current thread:
- Reaching out to ARIN members about their RPKI INVALID prefixes nusenu (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Job Snijders (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Christopher Morrow (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Jared Mauch (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Christopher Morrow (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Job Snijders (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Job Snijders (Sep 19)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Christopher Morrow (Sep 19)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Job Snijders (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 18)