"Is BGP safe yet?" test
jim deleskie
deleskie at gmail.com
Mon Apr 20 19:10:08 UTC 2020
I remember having this discussion more than 20yrs ago, minus the ARIN bit,
couldn't get every to agree to it it then either :(. We don't need more
rules, we just need to start with basic hygiene. Was a novel idea :)
On Mon., Apr. 20, 2020, 2:41 p.m. Christopher Morrow, <
morrowc.lists at gmail.com> wrote:
> On Mon, Apr 20, 2020 at 12:25 PM Tom Beecher <beecher at beecher.cc> wrote:
> >
> > Technical people need to make the business case to management for RKPI
> by laying out what it would cost to implement (equipment, resources,
> ongoing opex), and what the savings are to the company from protecting
> themselves against hijacks. By taking this step, I believe RPKI will become
> viewed by non-technical decision makers as a 'Cloudflare initiative'
> instead of a 'good of the internet' initiative, especially by some
> companies who compete with Cloudflare in the CDN space.
>
> you say here: "RPKI"
> but the cloudflare thing is a little bit more nuanced than that, right?
> 'RPKI" is really: "Did you sign ROA for your IP Number Resources?"
> what you do with the RPKI data is the 'more nuanced' part of the webpage.
> 1) Do you just sign?
> 2) do you sign and also do Origin Validation(OV) for your peers?
> 3) do you just do OV and not sign your own IP Number Resources?
>
> I think CloudFlare (and other folk doing bgp security work) would like
> 'everyone' to:
> 1) sign ROA for their IP number resources
> 2) enable OV on your peerings
> 3) prefix filter all of your peerings
>
> > I believe that will change the calculus and make it a more difficult
> sell for technical people to get resources approved to make it happen.
>
> I don't think that's the case... but I'm sure we'll be proven wrong :)
>
> -chris
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200420/ddf6a9c9/attachment.html>
More information about the NANOG
mailing list