Why not to use RPKI (Was Re: Argus: a hijacking alarm system)

Arturo Servin aservin at lacnic.net
Fri Jan 20 06:45:31 CST 2012


On 20 Jan 2012, at 10:38, Yang Xiang wrote:

> RPKI is great.
> 
> But, firstly, ROA doesn't cover all the prefixes now,
> we need an alternative service to alert hijackings.

	Or to sign your prefixes.

> 
> secondly, ROA can only secure the 'Origin AS' of a prefix,

	That's true.

> while Argus can discover potential hijackings caused by anomalous AS path.

	Can you explain how?

> 
> After ROA and BGPsec deployed in the entire Internet (or, in all of your network),
> Argus will stop the service :)

	I was just suggesting to add a more deterministic way to detecting hijacks.

	
Regards,
as

> 
> 2012/1/20 Arturo Servin <aservin at lacnic.net>
> 
>        You could use RPKI and origin validation as well.
> 
>        We have an application that does that.
> 
>        http://www.labs.lacnic.net/rpkitools/looking_glass/
> 
>        For example you can periodically check if your prefix is valid:
> 
> http://www.labs.lacnic.net/rpkitools/looking_glass/rest/valid/cidr/200.7.84.0/23/
> 
>        If it were invalid for a possible hijack it would look like:
> 
> http://www.labs.lacnic.net/rpkitools/looking_glass/rest/invalid/cidr/200.31.18.0/24/
> 
>        Or you can just query for any state:
> 
> http://www.labs.lacnic.net/rpkitools/looking_glass/rest/all/cidr/200.31.12.0/22/
> 
> 
> 
> Regards,
> as
> 
> 
> 
> 
> 
> -- 
> _________________________________________
> Yang Xiang. Ph.D candidate. Tsinghua University
> Argus: argus.csnet1.cs.tsinghua.edu.cn
> 



More information about the NANOG mailing list