nanog mailing list archives
Re: PeerinDB refuses to register certain networks [was: Setting sensible max-prefix limits]
From: Randy Bush <randy () psg com>
Date: Wed, 18 Aug 2021 17:59:35 -0700
Currently RPKI can only validate origin, not paths.
not exactly you ar speaking of route origin validation RPKI The RPKI is an X.509 based hierarchy [RFC 6481] which is congruent with the internet IP address allocation administration, the IANA, RIRs, ISPs, ... It is just a database, but is the substrate on which the next two mechanisms are based. It is currently deployed in all five administrative regions. RPKI-based Origin Validation (ROV) RPKI-based Origin Validation [RFC 6811] uses some of the RPKI data to allow a router to verify that the autonomous system originating an IP address prefix is in fact authorized to do so. This is not crypto checked so can be violated. But it should prevent the vast majority of accidental 'hijackings' on the internet today, e.g. the famous Pakistani accidental announcement of YouTube's address space. RPKI-based origin validation is in shipping code from AlcaLu, Cisco, Juniper, and possibly others. BGPsec RPKI-based Path Validation, AKA BGPsec, a future technology still being designed [draft-ietf-sidr-bgpsec-overview], uses the full crypto information of the RPKI to make up for the embarrassing mistake that, like much of the internet BGP was designed with no thought to securing the BGP protocol itself from being gamed/violated. It allows a receiver of a BGP announcement to cryptographically validate that the autonomous systems through which the announcement passed were indeed those which the sender/forwarder at each hop intended. Sorry to drone on, but these three really need to be differentiated.
Current thread:
- Re: PeerinDB refuses to register certain networks [was: Setting sensible max-prefix limits], (continued)
- Re: PeerinDB refuses to register certain networks [was: Setting sensible max-prefix limits] Sabri Berisha (Aug 18)
- Re: PeerinDB refuses to register certain networks [was: Setting sensible max-prefix limits] Patrick W. Gilmore (Aug 18)
- Re: PeerinDB refuses to register certain networks [was: Setting sensible max-prefix limits] Sabri Berisha (Aug 18)
- Re: PeerinDB refuses to register certain networks [was: Setting sensible max-prefix limits] Niels Bakker (Aug 18)
- Re: PeerinDB refuses to register certain networks [was: Setting sensible max-prefix limits] Rubens Kuhl (Aug 18)
- Re: PeerinDB refuses to register certain networks [was: Setting sensible max-prefix limits] Sabri Berisha (Aug 18)
- Re: PeerinDB refuses to register certain networks [was: Setting sensible max-prefix limits] Niels Bakker (Aug 18)
- Re: PeerinDB refuses to register certain networks [was: Setting sensible max-prefix limits] Randy Bush (Aug 18)
- Re: PeerinDB refuses to register certain networks [was: Setting sensible max-prefix limits] Matthew Walster (Aug 18)
- Re: PeerinDB refuses to register certain networks [was: Setting sensible max-prefix limits] Nick Hilliard (Aug 19)
- Re: PeerinDB refuses to register certain networks [was: Setting sensible max-prefix limits] Randy Bush (Aug 18)
- Re: PeerinDB refuses to register certain networks [was: Setting sensible max-prefix limits] Ben Maddison via NANOG (Aug 19)
- Re: PeerinDB refuses to register certain networks [was: Setting sensible max-prefix limits] Eric Kuhnke (Aug 19)
- Re: PeerinDB refuses to register certain networks [was: Setting sensible max-prefix limits] Adam Thompson (Aug 19)
- Re: PeerinDB refuses to register certain networks [was: Setting sensible max-prefix limits] Eric Kuhnke (Aug 22)
- Re: PeerinDB refuses to register certain networks [was: Setting sensible max-prefix limits] Ross Tajvar (Aug 19)
- Re: PeerinDB refuses to register certain networks [was: Setting sensible max-prefix limits] Brielle (Aug 19)
- Re: PeerinDB refuses to register certain networks [was: Setting sensible max-prefix limits] Seth Mattinen (Aug 19)
- Re: PeerinDB refuses to register certain networks [was: Setting sensible max-prefix limits] Stefan Funke (Aug 20)