Reaching out to ARIN members about their RPKI INVALID prefixes
morrowc.lists at gmail.com
Tue Sep 18 21:32:42 UTC 2018
On Tue, Sep 18, 2018 at 12:04 PM Owen DeLong <owen at delong.com> wrote:
> On Sep 18, 2018, at 11:06 AM, Christopher Morrow <morrowc.lists at gmail.com>
> On Tue, Sep 18, 2018 at 10:36 AM Job Snijders <job at ntt.net> wrote:
>> On Tue, Sep 18, 2018 at 10:23:42AM -0700, Owen DeLong wrote:
>> > Personally, since all RPKI accomplishes is providing a
>> > cryptographically signed notation of origin ASNs that hijackers should
>> > prepend to their announcements in order to create an aura of
>> > credibility, I think we should stop throwing resources down this
>> > rathole.
>> I think you underestimate how valuable RPKI based Origin Validation
>> (even just by itself) is in today's Internet landscape.
>> If you are aware of other efforts or more fruitful approaches please let
>> us know.
> Perhaps said another way:
> "How would you figure out what prefixes your bgp peer(s) should be sending
> (in an automatable, and verifiable manner)
> In theory, that’s what IRRs are for.
it's not worked out so far.
there's no real authorization/authentication of note on the data set via
you have no real way of knowing that 'as12 should be announcing
184.108.40.206/16' ... except by chasing the arin/ripe/etc records today,
something that those orgs stamp and which machines could validate without
people using eyeballs would sure be nice... Oh, that's what RPKI is
supposed to provide.
> In practice, while they offer better theoretical capabilities if stronger
> authentication were added, the current implementation and acceptance leaves
> much to be desired.
and has for approximately 30 yrs... I don't imagine magically it's going to
get better in the next 30 either.
However, even in theory, RPKI offers nothing of particular benefit even in
> its best case of widespread implementation.
"rir says owen can originate route FOO"
"ROA for 220.127.116.11/24 says OWEN can originate"
those seem like valuable pieces of information. Especially since I can know
this through some machine parseable fashion.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the NANOG