"Defensive" BGP hijacking?

Doug Montgomery dougm.work at gmail.com
Wed Sep 14 15:21:41 UTC 2016


If you are speaking of RPKI based origin validation, I am not sure
"automated / global enforcement system" is a useful description.   It does
provide a consistent means for address holders to declare AS's authorized
to announce prefixes, and a means for remote ASs to compare received
updates vs such declarations.   What the receiving AS does with the
validation information is strictly a local policy matter.

Frankly, this is no more a "new automated enforcement system" than
IRR-based route filtering has been for 20 years.  The only difference is
that there is a consistent security model across all 5 RIRs as to who can
make such declarations and it is tightly tied to the address allocation
business process.

I have seen a lot of FUD about the specter of interference, but not a lot
of serious thought / discussion.  Having a serious technical discussion of
potential risks and mitigations in the system would be useful.


On Wed, Sep 14, 2016 at 10:51 AM, Mel Beckman <mel at beckman.org> wrote:

> Scott and Doug,
> The problem with a new automated enforcement system is that it hobbles
> both agility and innovation. ISPs have enjoyed simple BGP management,
> entirely self-regulated, for decades. A global enforcement system, besides
> being dang hard to do correctly, brings the specter of government
> interference, since such a system could be overtaken by government entities
> to manhandle free speech.
> In my opinion, the community hasn't spent nearly enough time discussing
> the danger aspect. Being engineers, we focus on technical means, ignoring
> the fact that we're designing our own guillotine.
>  -mel beckman
> > On Sep 14, 2016, at 12:10 AM, Scott Weeks <surfer at mauigateway.com>
> wrote:
> >
> >
> >
> > --- dougm.work at gmail.com wrote:
> > From: Doug Montgomery <dougm.work at gmail.com>
> >
> > If only there were a global system, with consistent and verifiable
> security
> > properties, to permit address holders to declare the set of AS's
> authorized
> > to announce their prefixes, and routers anywhere on the Internet to
> > independently verify the corresponding validity of received
> announcements.
> >
> > *cough      https://www.nanog.org/meetings/abstract?id=2846     cough*
> > ------------------------------------------------
> >
> >
> > Yes, RPKI.  That's what I was waiting for.  Now we can get to
> > a real discussion... ;-)
> >
> > scott

DougM at Work

More information about the NANOG mailing list