Why not to use RPKI (Was Re: Argus: a hijacking alarm system)
xiangy08 at csnet1.cs.tsinghua.edu.cn
Fri Jan 20 07:08:22 CST 2012
2012/1/20 Arturo Servin <aservin at lacnic.net>
> On 20 Jan 2012, at 10:38, Yang Xiang wrote:
> > RPKI is great.
> > But, firstly, ROA doesn't cover all the prefixes now,
> > we need an alternative service to alert hijackings.
> Or to sign your prefixes.
Sign prefixes is the best way.
Before sign all prefixes, it is better if we have a detection service.
> > secondly, ROA can only secure the 'Origin AS' of a prefix,
> That's true.
> > while Argus can discover potential hijackings caused by anomalous AS
> Can you explain how?
Only a imprecisely detection.
Section III.C in our paper
A brief explanation is:
If an anomalous AS path hijacked a prefix,
I can get replies in normal route-server, and can not get reply in abnormal
Here we only consider hijackings that black-hole the prefix.
If a hijacking doesn't black-hole the prefix (i.e., redirect, interception,
...), is hard to detect :(
I think network operators are only careless, but not trust-less,
so black-hole hijacking is the majority case.
> > After ROA and BGPsec deployed in the entire Internet (or, in all of your
> > Argus will stop the service :)
> I was just suggesting to add a more deterministic way to detecting
Sorry for my poor English :(
What I want to say is, RPKI is really good,
Argus is just an alternative,
before we can protect ourself using signatures,
> > --
> > _________________________________________
> > Yang Xiang. Ph.D candidate. Tsinghua University
> > Argus: argus.csnet1.cs.tsinghua.edu.cn
Yang Xiang. Ph.D candidate. Tsinghua University
More information about the NANOG