nanog mailing list archives
Re: "Is BGP safe yet?" test
From: Baldur Norddahl <baldur.norddahl () gmail com>
Date: Tue, 21 Apr 2020 11:07:03 +0200
There are in fact five anchors. I am not sure ARIN would be able to stop anyone holding RIPE space provided the resource holder uses RIPE RPKI anchor for publishing his ROAs.
Regards, Baldur On 21.04.2020 08.51, Matt Corallo via NANOG wrote:
I find it fascinating that in this entire thread about the nature of RPKI the shift in the role of the RIR hasn’t come up. Instead of RIRs coordinating address space use by keeping a public list which is (or should be) checked when a new peering session is added, RPKI shifts RIRs into the hot path of routing updates. Next time the US government decides some bad, bad, very bad country should be cut off from the world with viral sanctions, there’s a new tool available - by simply editing a database, every border router in the world will refuse to talk to $EVIL. By no means am I suggesting we should stop the RPKI train (and AS397444 happily drops invalids and has ROAs for all prefixes), but there’s a very cost here that doesn’t appear to have gotten much love, let alone mitigation effort. In the context of RIPE having to ask for permission to keep receiving payments from several Iranian LIRs, this isn’t completely inconceivable. By way of an example, something like a waiting period for RIRs to add new ROAs replacing removed ROAs (which would imply some kind of signed replacement, but you get the point). At least ARIN already has a several-month quieting period after yanking resources for non-payment, why not use that to give operators time to think about whether they mind talking to Iran? /ducks MattOn Apr 20, 2020, at 08:10, Andrey Kostin <ankost () podolsk ru> wrote: Hi Nanog list, Would be interesting to hear your opinion on this: https://isbgpsafeyet.com/ We have cases when residential customers ask support "why is your service isn't safe?" pointing to that article. It's difficult to answer correctly considering that the asking person usually doesn't know what BGP is and what it's used for, save for understanding it's function, design and possible misuses. IMO, on one hand it promotes and is aimed to push RPKI deployment, on the other hand is this a proper way for it? How ethical is to claim other market players unsafe, considering that scope of possible impact of not implementing it has completely different scale for a small stub network and big transit provider? Kind regards, Andrey
Current thread:
- Re: "Is BGP safe yet?" test, (continued)
- Re: "Is BGP safe yet?" test Sander Steffann (Apr 21)
- Re: "Is BGP safe yet?" test Baldur Norddahl (Apr 21)
- Re: "Is BGP safe yet?" test Alex Band (Apr 21)
- Re: "Is BGP safe yet?" test Matt Corallo via NANOG (Apr 21)
- Re: "Is BGP safe yet?" test Christopher Morrow (Apr 21)
- Re: "Is BGP safe yet?" test Matt Corallo via NANOG (Apr 21)
- Re: "Is BGP safe yet?" test Rubens Kuhl (Apr 21)
- Re: "Is BGP safe yet?" test Matt Corallo via NANOG (Apr 21)
- Re: "Is BGP safe yet?" test Danny McPherson (Apr 22)
- Re: "Is BGP safe yet?" test Warren Kumari (Apr 22)
- Re: "Is BGP safe yet?" test Matt Corallo via NANOG (Apr 21)
- Re: "Is BGP safe yet?" test Andrey Kostin (Apr 22)
- Re: "Is BGP safe yet?" test Danny McPherson (Apr 22)
- Re: "Is BGP safe yet?" test Christopher Morrow (Apr 22)
- Re: "Is BGP safe yet?" test Christopher Morrow (Apr 22)
- Re: "Is BGP safe yet?" test Andrey Kostin (Apr 23)