nanog mailing list archives
Re: Reaching out to ARIN members about their RPKI INVALID prefixes
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Tue, 18 Sep 2018 14:32:42 -0700
On Tue, Sep 18, 2018 at 12:04 PM Owen DeLong <owen () delong com> wrote:
On Sep 18, 2018, at 11:06 AM, Christopher Morrow <morrowc.lists () gmail com> wrote: On Tue, Sep 18, 2018 at 10:36 AM Job Snijders <job () ntt net> wrote:Owen, On Tue, Sep 18, 2018 at 10:23:42AM -0700, Owen DeLong wrote:Personally, since all RPKI accomplishes is providing a cryptographically signed notation of origin ASNs that hijackers should prepend to their announcements in order to create an aura of credibility, I think we should stop throwing resources down this rathole.I think you underestimate how valuable RPKI based Origin Validation (even just by itself) is in today's Internet landscape. If you are aware of other efforts or more fruitful approaches please let us know.Perhaps said another way: "How would you figure out what prefixes your bgp peer(s) should be sending you?" (in an automatable, and verifiable manner) -chris In theory, that’s what IRRs are for.
it's not worked out so far. there's no real authorization/authentication of note on the data set via the irr. you have no real way of knowing that 'as12 should be announcing 157.130.0.0/16' ... except by chasing the arin/ripe/etc records today, something that those orgs stamp and which machines could validate without people using eyeballs would sure be nice... Oh, that's what RPKI is supposed to provide.
In practice, while they offer better theoretical capabilities if stronger authentication were added, the current implementation and acceptance leaves much to be desired.
and has for approximately 30 yrs... I don't imagine magically it's going to get better in the next 30 either.
However, even in theory, RPKI offers nothing of particular benefit even in
its best case of widespread implementation.
"rir says owen can originate route FOO" "ROA for 157.130.1.0/24 says OWEN can originate" those seem like valuable pieces of information. Especially since I can know this through some machine parseable fashion. -chris
Owen
Current thread:
- Reaching out to ARIN members about their RPKI INVALID prefixes nusenu (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Job Snijders (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Christopher Morrow (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Jared Mauch (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Christopher Morrow (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Job Snijders (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Job Snijders (Sep 19)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Christopher Morrow (Sep 19)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 19)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Job Snijders (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Job Snijders (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Job Snijders (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 18)