deploying RPKI based Origin Validation

Mark Tinka mark.tinka at
Sat Jul 14 05:06:22 UTC 2018

On 13/Jul/18 19:28, Christopher Morrow wrote:

> I think getting to Job's world is a goal, I think living in Mark's is a
> reality for a bit still.
> (yes, you could ALSO do some game playing where the customer ports for TSW
> were in a VRF with no 'bad' routes, but.. complexity)

This summarizes the current status of affairs quite accurately.

I'd like to get to the point where RPKI is widely deployed so that we
can all run a cleaner BGP. I don't think that waiting for all BGP
operators to enable RPKI and drop Invalids will be the solution. So if
the top 7 global operators decided to do it, and perhaps suffer the pain
of the effects for a few months, the rest of the community will be
inclined to follow suit.

Kind of like how only a few major operators really use RPSL, which
forces all BGP operators to keep some kind of updated IRR, even if they,
themselves, may not be RPSL users.

> sure thing! (err, this rpki/secure-routing business isn't really super
> intuitive :( )

As always, the difficult bit is done, i.e., the protocol spec. is
clearly defined, there is code in routing software, and there are plenty
of options for Route Validation software.

But as always, the hard part is getting the community to implement, as
we've seen with IPv6 and DNSSEC.


More information about the NANOG mailing list