Re: BGP route hijack by AS10990

[Mark Tinka <mark.tinka () seacom com>]

On 31/Jul/20 16:01, Baldur Norddahl wrote:
> How do you know that none of the prefixes had ROA? The ones that had
> got stopped by Telias filter, so we would never know.

Like I said, "if". If they did, then they were protected. If they
didn't, well...


> This is exactly the situation where RPKI already works. My and yours
> prefixes, provided you like me have ROAs, will not be leaked through
> Telia and a number of other large transits. Even if they did not have
> proper filters in place.

I don't have to like you, but I will always honour your ROA :-).

That is my point, though - this works if ROA's are present. We know this
to not be the case - so having proper filters in place is not optional.
Not at least until we have 100% diffusion of ROA's + ROV. And even then,
we probably still want some kind of safety net.


> Driving without RPKI / ROA is like driving without a seatbelt. You are
> fine until the day someone makes a mistake and then you wish you did
> your job at signing those prefixes sooner.

Don't disagree with you there.

Mark.