Reaching out to ARIN members about their RPKI INVALID prefixes

Job Snijders job at ntt.net
Tue Sep 18 17:35:42 UTC 2018


Owen,

On Tue, Sep 18, 2018 at 10:23:42AM -0700, Owen DeLong wrote:
> Personally, since all RPKI accomplishes is providing a
> cryptographically signed notation of origin ASNs that hijackers should
> prepend to their announcements in order to create an aura of
> credibility, I think we should stop throwing resources down this
> rathole.

1/ You may be overlooking the fact that many networks peer directly with
what (for them) are the important sources/destinations. The semantics of
RPKI ROAs help block illegitimate more-specifics, and the short AS_PATH
between players prevents a hijacker from inserting themself. In other
words - the most important AS_PATHs are 1 hop. The Internet's dense
interconnectedness is saving its bacon.

2/ Another approach to achieve path validation for 1 hop is through
mechanisms such what NTT calls 'peerlock'.
https://www.youtube.com/watch?v=CSLpWBrHy10

3/ Lastly, some folks are innovating in this space to help automate
concepts such as peerlock through what is called ASPA. ASPA is intended
as an out-of-band, deployable alternative to BGPSec.

https://tools.ietf.org/html/draft-azimov-sidrops-aspa-profile
https://tools.ietf.org/html/draft-azimov-sidrops-aspa-verification

I think you underestimate how valuable RPKI based Origin Validation
(even just by itself) is in today's Internet landscape.

If you are aware of other efforts or more fruitful approaches please let
us know.

Kind regards,

Job


More information about the NANOG mailing list