Why not to use RPKI (Was Re: Argus: a hijacking alarm system)

Yang Xiang xiangy08 at csnet1.cs.tsinghua.edu.cn
Fri Jan 20 07:08:22 CST 2012


2012/1/20 Arturo Servin <aservin at lacnic.net>

>
> On 20 Jan 2012, at 10:38, Yang Xiang wrote:
>
> > RPKI is great.
> >
> > But, firstly, ROA doesn't cover all the prefixes now,
> > we need an alternative service to alert hijackings.
>
>         Or to sign your prefixes.
>

Sign prefixes is the best way.
Before sign all prefixes, it is better if we have a detection service.


>
> >
> > secondly, ROA can only secure the 'Origin AS' of a prefix,
>
>         That's true.
>
> > while Argus can discover potential hijackings caused by anomalous AS
> path.
>
>         Can you explain how?
>

Only a imprecisely detection.

Section III.C in our paper
http://argus.csnet1.cs.tsinghua.edu.cn/static/Argus.FIST11.pdf

A brief explanation is:
If an anomalous AS path hijacked a prefix,
I can get replies in normal route-server, and can not get reply in abnormal
route-servers.

Here we only consider hijackings that black-hole the prefix.
If a hijacking doesn't black-hole the prefix (i.e., redirect, interception,
...), is hard to detect :(

I think network operators are only careless, but not trust-less,
so black-hole hijacking is the majority case.


>
> >
> > After ROA and BGPsec deployed in the entire Internet (or, in all of your
> network),
> > Argus will stop the service :)
>
>         I was just suggesting to add a more deterministic way to detecting
> hijacks.
>

Sorry for my poor English :(
What I want to say is, RPKI is really good,
Argus is just an alternative,
before we can protect ourself using signatures,
honestly :-)

Best regards!


>
>
> Regards,
> as
>
>
> >
> > --
> > _________________________________________
> > Yang Xiang. Ph.D candidate. Tsinghua University
> > Argus: argus.csnet1.cs.tsinghua.edu.cn
> >
>
>


-- 
_________________________________________
Yang Xiang. Ph.D candidate. Tsinghua University
Argus: argus.csnet1.cs.tsinghua.edu.cn


More information about the NANOG mailing list