"Is BGP safe yet?" test

Baldur Norddahl baldur.norddahl at gmail.com
Tue Apr 21 09:07:03 UTC 2020

There are in fact five anchors. I am not sure ARIN would be able to stop 
anyone holding RIPE space provided the resource holder uses RIPE RPKI 
anchor for publishing his ROAs.



On 21.04.2020 08.51, Matt Corallo via NANOG wrote:
> I find it fascinating that in this entire thread about the nature of RPKI the shift in the role of the RIR hasn’t come up.
> Instead of RIRs coordinating address space use by keeping a public list which is (or should be) checked when a new peering session is added, RPKI shifts RIRs into the hot path of routing updates. Next time the US government decides some bad, bad, very bad country should be cut off from the world with viral sanctions, there’s a new tool available - by simply editing a database, every border router in the world will refuse to talk to $EVIL.
> By no means am I suggesting we should stop the RPKI train (and AS397444 happily drops invalids and has ROAs for all prefixes), but there’s a very cost here that doesn’t appear to have gotten much love, let alone mitigation effort. In the context of RIPE having to ask for permission to keep receiving payments from several Iranian LIRs, this isn’t completely inconceivable.
> By way of an example, something like a waiting period for RIRs to add new ROAs replacing removed ROAs (which would imply some kind of signed replacement, but you get the point). At least ARIN already has a several-month quieting period after yanking resources for non-payment, why not use that to give operators time to think about whether they mind talking to Iran?
> /ducks
> Matt
>> On Apr 20, 2020, at 08:10, Andrey Kostin <ankost at podolsk.ru> wrote:
>> Hi Nanog list,
>> Would be interesting to hear your opinion on this:
>> https://isbgpsafeyet.com/
>> We have cases when residential customers ask support "why is your service isn't safe?" pointing to that article. It's difficult to answer correctly considering that the asking person usually doesn't know what BGP is and what it's used for, save for understanding it's function, design and possible misuses.
>> IMO, on one hand it promotes and is aimed to push RPKI deployment, on the other hand is this a proper way for it? How ethical is to claim other market players unsafe, considering that scope of possible impact of not implementing it has completely different scale for a small stub network and big transit provider?
>> Kind regards,
>> Andrey

More information about the NANOG mailing list