nanog mailing list archives
Re: "Is BGP safe yet?" test
From: Tom Beecher <beecher () beecher cc>
Date: Mon, 20 Apr 2020 12:50:54 -0400
We've seen that validators are free, and work very well.
Work on a technical level, yes. But there are legal concerns in the ARIN region with that, some of which are spelled out here, by ACTUAL lawyers. https://pc.nanog.org/static/published/meetings/NANOG75/1900/20190219_Yoo_Rpki_Legal_Barriers_v1.pdf Not going to dive any further into that subject here, wrong forum, but it's illustrative of my overall point. Thar Were Dragons still to be slayed on this topic already, and I think CF has just made that harder. On Mon, Apr 20, 2020 at 12:41 PM Mark Tinka <mark.tinka () seacom mu> wrote:
On 20/Apr/20 18:24, Tom Beecher wrote:Technical people need to make the business case to management for RKPI by laying out what it would cost to implement (equipment, resources, ongoing opex), and what the savings are to the company from protecting themselves against hijacks. By taking this step, I believe RPKI will become viewed by non-technical decision makers as a 'Cloudflare initiative' instead of a 'good of the internet' initiative, especially by some companies who compete with Cloudflare in the CDN space. I believe that will change the calculus and make it a more difficult sell for technical people to get resources approved to make it happen.I'm not sure I'd go that far, but I do see your point. Nowadays, if you are running a half-decent router vendor, chances are any upgrades you are doing for normal things (adding capacity, moving from Gig-E to 10Gbps, or from 10Gbps to 100Gbps) will bring RPKI along for the ride by default. We've seen that validators are free, and work very well. Your ongoing RIR membership will get your access to getting your ROA's signed, so you don't need to pay extra for that. So while I can see how an article like this could make life interesting within your business, I don't think much of it will hinge on "the cost of implementing RPKI in terms of $$". My company, for example, only found out we run RPKI because of the April 1, 2019 activation article that we, and Workonline published. And we'd been testing and running RPKI since 2014 - and only because we had a total network refresh to get rid of some clunky Cisco XR 12000 routers (which probably support RPKI if you don't run IOS classic, hehe). Mark.
Current thread:
- Re: "Is BGP safe yet?" test, (continued)
- Re: "Is BGP safe yet?" test Saku Ytti (Apr 20)
- Re: "Is BGP safe yet?" test Baldur Norddahl (Apr 20)
- Re: "Is BGP safe yet?" test Andrey Kostin (Apr 21)
- Re: "Is BGP safe yet?" test Randy Bush (Apr 21)
- Re: "Is BGP safe yet?" test Mark Tinka (Apr 21)
- Re: "Is BGP safe yet?" test Randy Bush (Apr 21)
- Re: "Is BGP safe yet?" test Cummings, Chris (Apr 20)
- Re: "Is BGP safe yet?" test Tom Beecher (Apr 20)
- Re: "Is BGP safe yet?" test Mark Tinka (Apr 20)
- Re: "Is BGP safe yet?" test Tom Beecher (Apr 20)
- Re: "Is BGP safe yet?" test Mark Tinka (Apr 20)
- Re: "Is BGP safe yet?" test Andrey Kostin (Apr 20)
- Re: "Is BGP safe yet?" test Denys Fedoryshchenko (Apr 20)
- Re: "Is BGP safe yet?" test Rubens Kuhl (Apr 20)
- Re: "Is BGP safe yet?" test Denys Fedoryshchenko (Apr 20)
- Re: "Is BGP safe yet?" test Andrey Kostin (Apr 20)