Reaching out to ARIN members about their RPKI INVALID prefixes

Christopher Morrow morrowc.lists at gmail.com
Tue Sep 18 21:32:42 UTC 2018


On Tue, Sep 18, 2018 at 12:04 PM Owen DeLong <owen at delong.com> wrote:

>
>
> On Sep 18, 2018, at 11:06 AM, Christopher Morrow <morrowc.lists at gmail.com>
> wrote:
>
>
>
> On Tue, Sep 18, 2018 at 10:36 AM Job Snijders <job at ntt.net> wrote:
>
>> Owen,
>>
>> On Tue, Sep 18, 2018 at 10:23:42AM -0700, Owen DeLong wrote:
>> > Personally, since all RPKI accomplishes is providing a
>> > cryptographically signed notation of origin ASNs that hijackers should
>> > prepend to their announcements in order to create an aura of
>> > credibility, I think we should stop throwing resources down this
>> > rathole.
>> I think you underestimate how valuable RPKI based Origin Validation
>> (even just by itself) is in today's Internet landscape.
>>
>> If you are aware of other efforts or more fruitful approaches please let
>> us know.
>>
>>
> Perhaps said another way:
>
> "How would you figure out what prefixes your bgp peer(s) should be sending
> you?"
>    (in an automatable, and verifiable manner)
>
> -chris
>
>
> In theory, that’s what IRRs are for.
>
>
it's not worked out so far.
there's no real authorization/authentication of note on the data set via
the irr.
you have no real way of knowing that 'as12 should be announcing
157.130.0.0/16' ... except by chasing the arin/ripe/etc records today,
something that those orgs stamp and which machines could validate without
people using eyeballs would sure be nice... Oh, that's what RPKI is
supposed to provide.


> In practice, while they offer better theoretical capabilities if stronger
> authentication were added, the current implementation and acceptance leaves
> much to be desired.
>

and has for approximately 30 yrs... I don't imagine magically it's going to
get better in the next 30 either.


>
>
However, even in theory, RPKI offers nothing of particular benefit even in
> its best case of widespread implementation.
>
>
"rir says owen can originate route FOO"
"ROA for 157.130.1.0/24 says OWEN can originate"

those seem like valuable pieces of information. Especially since I can know
this through some machine parseable fashion.

-chris

> Owen
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20180918/e6452a1e/attachment.html>


More information about the NANOG mailing list