nanog mailing list archives
Re: Reaching out to ARIN members about their RPKI INVALID prefixes
From: Job Snijders <job () ntt net>
Date: Wed, 19 Sep 2018 07:44:57 +0000
On Tue, Sep 18, 2018 at 06:18:00PM -0700, Owen DeLong wrote:
That depends. If you ONLY allow the maintainer of NET-192.159.10.0/24 to update the route objects for it, then the word ONLY is effectively present by the lack of any other route objects.
Ah, so you are now applying the RPKI Origin Validation procedure to a non-existent flavor of IRR? :-) Today I can create route-objects covering 192.159.10.0/24 in a number of IRR databases and there is nothing you can do to prevent that, this simply is not the case with RPKI. I prefer an existing system (RPKI) over hypotheticals (Owen's IRR). Secondly, I've also noticed you only emphasize an adversarial angle (origin spoofing), but there are other angles too. The majority of today's BGP problems are attributable to operator mistakes (misconfigurations). Analysis has shown that most BGP incidents happen on weekdays rather than in the weekend. The number keys on our keyboards are quite close to each other and Origin Validation is very effective against typos. Another angle is bugs in BGP implementations: your neighbors doing origin validation reduces the impact and propagation of incorrect announcements from your network should you run into a software defect.
So RPKI is great if we can just reduce the internet diameter to 1
Agreed, in other words: RPKI is offers tangible benefits to those that peer directly with each other, or use peerlock.
in which case MD5 passwords on your BGP sessions pretty much accomplishes the same thing with a lot less kerfuffle.
Uhh... you may want to refresh your memory on what BGP is and how TCP-MD5 works. Kind regards, Job
Current thread:
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes, (continued)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Job Snijders (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Christopher Morrow (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Jared Mauch (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Christopher Morrow (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Job Snijders (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Job Snijders (Sep 19)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Christopher Morrow (Sep 19)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 19)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Job Snijders (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Job Snijders (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Job Snijders (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Christopher Morrow (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 19)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Jared Mauch (Sep 19)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Baldur Norddahl (Sep 20)