Reaching out to ARIN members about their RPKI INVALID prefixes

Owen DeLong owen at delong.com
Tue Sep 18 19:04:19 UTC 2018


> On Sep 18, 2018, at 11:06 AM, Christopher Morrow <morrowc.lists at gmail.com> wrote:
> 
> 
> 
> On Tue, Sep 18, 2018 at 10:36 AM Job Snijders <job at ntt.net <mailto:job at ntt.net>> wrote:
> Owen,
> 
> On Tue, Sep 18, 2018 at 10:23:42AM -0700, Owen DeLong wrote:
> > Personally, since all RPKI accomplishes is providing a
> > cryptographically signed notation of origin ASNs that hijackers should
> > prepend to their announcements in order to create an aura of
> > credibility, I think we should stop throwing resources down this
> > rathole.
> I think you underestimate how valuable RPKI based Origin Validation
> (even just by itself) is in today's Internet landscape.
> 
> If you are aware of other efforts or more fruitful approaches please let
> us know.
> 
> 
> Perhaps said another way: 
> 
> "How would you figure out what prefixes your bgp peer(s) should be sending you?"
>    (in an automatable, and verifiable manner)
> 
> -chris

In theory, that’s what IRRs are for.

In practice, while they offer better theoretical capabilities if stronger authentication were added, the current implementation and acceptance leaves much to be desired.

However, even in theory, RPKI offers nothing of particular benefit even in its best case of widespread implementation.

Owen

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20180918/b6c882bb/attachment.html>


More information about the NANOG mailing list