nanog mailing list archives

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

From: Owen DeLong <owen () delong com>
Date: Tue, 18 Sep 2018 14:18:55 -0700

On Sep 18, 2018, at 12:09 PM, Jared Mauch <jared () puck nether net> wrote:

On Sep 18, 2018, at 3:04 PM, Owen DeLong <owen () delong com> wrote:

On Sep 18, 2018, at 11:06 AM, Christopher Morrow <morrowc.lists () gmail com> wrote:



On Tue, Sep 18, 2018 at 10:36 AM Job Snijders <job () ntt net> wrote:
Owen,

On Tue, Sep 18, 2018 at 10:23:42AM -0700, Owen DeLong wrote:

Personally, since all RPKI accomplishes is providing a
cryptographically signed notation of origin ASNs that hijackers should
prepend to their announcements in order to create an aura of
credibility, I think we should stop throwing resources down this
rathole.

I think you underestimate how valuable RPKI based Origin Validation
(even just by itself) is in today's Internet landscape.

If you are aware of other efforts or more fruitful approaches please let
us know.


Perhaps said another way: 

"How would you figure out what prefixes your bgp peer(s) should be sending you?"
  (in an automatable, and verifiable manner)

-chris


In theory, that’s what IRRs are for.

In practice, while they offer better theoretical capabilities if stronger authentication were added, the current 
implementation and acceptance leaves much to be desired.


Judging a global ecosystem just by what ARIN does is perhaps some of the issue.  ARIN seems to be the outlier here as 
has been measured.  An ARIN prefix ROA is less valuable than the other regions and this is IMO deliberate on the part 
of ARIN.

However, even in theory, RPKI offers nothing of particular benefit even in its best case of widespread 
implementation.


Disagree, but that’s ok.  I know at $dayJob I’m preparing the way, but it’s much harder than it should be due to the 
nature of our business.

- Jared


What does RPKI offer other than a way to know what to spoof in a prepend for your forged announcement?

Owen

Current thread:

Reaching out to ARIN members about their RPKI INVALID prefixes nusenu (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 18)
  - Re: Reaching out to ARIN members about their RPKI INVALID prefixes Job Snijders (Sep 18)
    - Re: Reaching out to ARIN members about their RPKI INVALID prefixes Christopher Morrow (Sep 18)
    - Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 18)
    - Re: Reaching out to ARIN members about their RPKI INVALID prefixes Jared Mauch (Sep 18)
    - Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 18)
    - Re: Reaching out to ARIN members about their RPKI INVALID prefixes Christopher Morrow (Sep 18)
    - Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 18)
    - Re: Reaching out to ARIN members about their RPKI INVALID prefixes Job Snijders (Sep 18)
    - Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 18)
    - Re: Reaching out to ARIN members about their RPKI INVALID prefixes Job Snijders (Sep 19)
    - Re: Reaching out to ARIN members about their RPKI INVALID prefixes Christopher Morrow (Sep 19)
    - Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 19)
    - Re: Reaching out to ARIN members about their RPKI INVALID prefixes Job Snijders (Sep 18)
    - Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 18)
    - Re: Reaching out to ARIN members about their RPKI INVALID prefixes Job Snijders (Sep 18)

(Thread continues...)