Re: Why not to use RPKI (Was Re: Argus: a hijacking alarm system)

[Yang Xiang <xiangy08 () csnet1 cs tsinghua edu cn>]

2012/1/20 Arturo Servin <aservin () lacnic net>

> On 20 Jan 2012, at 10:38, Yang Xiang wrote:
>
> > RPKI is great.
> >
> > But, firstly, ROA doesn't cover all the prefixes now,
> > we need an alternative service to alert hijackings.
>
>         Or to sign your prefixes.

Sign prefixes is the best way.
Before sign all prefixes, it is better if we have a detection service.


> > secondly, ROA can only secure the 'Origin AS' of a prefix,
>
>         That's true.
>
> > while Argus can discover potential hijackings caused by anomalous AS
> path.
>
>         Can you explain how?

Only a imprecisely detection.

Section III.C in our paper
http://argus.csnet1.cs.tsinghua.edu.cn/static/Argus.FIST11.pdf

A brief explanation is:
If an anomalous AS path hijacked a prefix,
I can get replies in normal route-server, and can not get reply in abnormal
route-servers.

Here we only consider hijackings that black-hole the prefix.
If a hijacking doesn't black-hole the prefix (i.e., redirect, interception,
...), is hard to detect :(

I think network operators are only careless, but not trust-less,
so black-hole hijacking is the majority case.


> > After ROA and BGPsec deployed in the entire Internet (or, in all of your
> network),
> > Argus will stop the service :)
>
>         I was just suggesting to add a more deterministic way to detecting
> hijacks.

Sorry for my poor English :(
What I want to say is, RPKI is really good,
Argus is just an alternative,
before we can protect ourself using signatures,
honestly :-)

Best regards!


> Regards,
> as
>
>
> > --
> > _________________________________________
> > Yang Xiang. Ph.D candidate. Tsinghua University
> > Argus: argus.csnet1.cs.tsinghua.edu.cn


-- 
_________________________________________
Yang Xiang. Ph.D candidate. Tsinghua University
Argus: argus.csnet1.cs.tsinghua.edu.cn