BGP route hijack by AS10990
Baldur Norddahl
baldur.norddahl at gmail.com
Fri Jul 31 14:01:56 UTC 2020
How do you know that none of the prefixes had ROA? The ones that had got
stopped by Telias filter, so we would never know.
This is exactly the situation where RPKI already works. My and yours
prefixes, provided you like me have ROAs, will not be leaked through Telia
and a number of other large transits. Even if they did not have proper
filters in place.
Driving without RPKI / ROA is like driving without a seatbelt. You are fine
until the day someone makes a mistake and then you wish you did your job at
signing those prefixes sooner.
Regards,
Baldur
On Fri, Jul 31, 2020 at 3:35 PM Mark Tinka <mark.tinka at seacom.com> wrote:
>
>
> On 31/Jul/20 03:57, Aftab Siddiqui wrote:
> > Not a single prefix was signed, what I saw. May be good reason for
> > Rogers, Charter, TWC etc to do that now. It would have stopped the
> > propagation at Telia.
>
> While I am a huge proponent for ROA's and ROV, it is a massive
> expectation to req filtering to work on the basis of all BGP
> participants creating their ROA's. It's what I would like, but there is
> always going to be a lag on this one.
>
> If none of the prefixes had a ROA, no amount of Telia's shiny new "we
> drop invalids" machine would have helped, as we saw with this incident.
> ROV really only comes into its own when the majority of the Internet has
> correct ROA's setup. In the absence of that, it's a powerful but
> toothless feature.
>
> So while I will continue pushing for the rest of the world to create
> ROA's, turn on RPKI and enable ROV, I'll also advocate that operators
> continue to have both AS- and prefix-based filters. Not either/or, but
> both. Also, max-prefix as a matter of course.
>
> Mark.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200731/5c84fb7a/attachment.html>
More information about the NANOG
mailing list