nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RPKI unknown for superprefixes of existing ROA ?

From: Tom Beecher <beecher () beecher cc>
Date: Sun, 22 Oct 2023 13:40:06 -0400
Can an operator discard no RPKI / RPKI INVALID *from the DFZ* today, or at
any time in the foreseeable future? No. Probably not ever.

That does not mean there are other perfectly reasonable RPKI use cases
where an AS 0 ROA does accomplish exactly that with which it was designed.


On Sun, Oct 22, 2023 at 1:24 PM William Herrin <bill () herrin us> wrote:


On Sun, Oct 22, 2023 at 10:06 AM Tom Beecher <beecher () beecher cc> wrote:

And is it your belief that this addresses the described attack vector?
AFAICT, it does not.


 In the mixed RPKI / non-RPKI environment of today's internet, no it

doesn't.

I don't see a path to an Internet where a serious network operator can
broadly discard routes for which there is no RPKI information.
Especially given that many legacy folks are barred by the registry
from participating in RPKI.

Do you see a path?

Then we have to treat this as a case where RPKI is non-performant and
operate with the understanding that an AS0 ROA will not, as a
practical matter, accomplish the thing it was designed to do.

Regards,
Bill Herrin


--
William Herrin
bill () herrin us
https://bill.herrin.us/
Previous By Date Next
Previous By Thread Next

Current thread: