Reaching out to ARIN members about their RPKI INVALID prefixes
owen at delong.com
Tue Sep 18 19:08:34 UTC 2018
> On Sep 18, 2018, at 10:35 AM, Job Snijders <job at ntt.net> wrote:
> On Tue, Sep 18, 2018 at 10:23:42AM -0700, Owen DeLong wrote:
>> Personally, since all RPKI accomplishes is providing a
>> cryptographically signed notation of origin ASNs that hijackers should
>> prepend to their announcements in order to create an aura of
>> credibility, I think we should stop throwing resources down this
> 1/ You may be overlooking the fact that many networks peer directly with
> what (for them) are the important sources/destinations. The semantics of
> RPKI ROAs help block illegitimate more-specifics, and the short AS_PATH
> between players prevents a hijacker from inserting themself. In other
> words - the most important AS_PATHs are 1 hop. The Internet's dense
> interconnectedness is saving its bacon.
While this may be true for a handful of well peered ASNs, it’s certainly not common
around the wider internet.
> 2/ Another approach to achieve path validation for 1 hop is through
> mechanisms such what NTT calls 'peerlock'.
> https://www.youtube.com/watch?v=CSLpWBrHy10 <https://www.youtube.com/watch?v=CSLpWBrHy10>
Single hop is relatively easy. It’s 2+ hop where things get far more interesting.
It’s convenient to reduce the problem set to the one you can easily solve, but ignoring
the rest of the problem set smacks of hand-waving and “insert magic here”.
> 3/ Lastly, some folks are innovating in this space to help automate
> concepts such as peerlock through what is called ASPA. ASPA is intended
> as an out-of-band, deployable alternative to BGPSec.
OK, but IIRC, it’s rather orthogonal to RPKI.
> I think you underestimate how valuable RPKI based Origin Validation
> (even just by itself) is in today's Internet landscape.
I think you overestimate it.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the NANOG