"Is BGP safe yet?" test

Mon Apr 20 18:32:29 UTC 2020

On 20 Apr 2020, at 19:39, Christopher Morrow <morrowc.lists at gmail.com> wrote:
> 
> On Mon, Apr 20, 2020 at 12:25 PM Tom Beecher <beecher at beecher.cc> wrote:
>> 
>> Technical people need to make the business case to management for RKPI by laying out what it would cost to implement (equipment, resources, ongoing opex), and what the savings are to the company from protecting themselves against hijacks. By taking this step, I believe RPKI will become viewed by non-technical decision makers as a 'Cloudflare initiative' instead of a 'good of the internet' initiative, especially by some companies who compete with Cloudflare in the CDN space.
> 
> you say here: "RPKI"
> but the cloudflare thing is a little bit more nuanced than that, right?
> 'RPKI" is really: "Did you sign ROA for your IP Number Resources?"
> what you do with the RPKI data is the 'more nuanced' part of the webpage.
>   1) Do you just sign?
>   2) do you sign  and also do Origin Validation(OV) for your peers?
>   3) do you just do OV and not sign your own IP Number Resources?
> 
> I think CloudFlare (and other folk doing bgp security work) would like
> 'everyone' to:
>  1) sign ROA for their IP number resources
>  2) enable OV on your peerings
>  3) prefix filter all of your peerings

The page seems very centred around the latter. The shaming is happening around the lack of filtering, not the absence of ROAs. The FAQ talks about “legitimate routes” but there’s not even a few words on how to actually make a route “legitimate".

The push for filtering may be a bit premature given the fact that North America has 7% Canada 3% ROA coverage[1]. There’s not much point in setting up filters if there’s no data to filter on. One could argue that with filtering an incentive arises to create ROAs, but this is not how things have evolved elsewhere in the world.

-Alex

[1] https://nlnetlabs.nl/projects/rpki/rpki-analytics/