PeerinDB refuses to register certain networks [was: Setting sensible max-prefix limits]

Randy Bush randy at psg.com
Thu Aug 19 00:59:35 UTC 2021


> Currently RPKI can only validate origin, not paths.

not exactly  you ar speaking of route origin validation

    RPKI

    The RPKI is an X.509 based hierarchy [RFC 6481] which is congruent
    with the internet IP address allocation administration, the IANA,
    RIRs, ISPs, ...  It is just a database, but is the substrate on
    which the next two mechanisms are based.  It is currently deployed
    in all five administrative regions.

    RPKI-based Origin Validation (ROV)

    RPKI-based Origin Validation [RFC 6811] uses some of the RPKI data
    to allow a router to verify that the autonomous system originating
    an IP address prefix is in fact authorized to do so.  This is not
    crypto checked so can be violated.  But it should prevent the vast
    majority of accidental 'hijackings' on the internet today, e.g. the
    famous Pakistani accidental announcement of YouTube's address space.
    RPKI-based origin validation is in shipping code from AlcaLu, Cisco,
    Juniper, and possibly others.

    BGPsec

    RPKI-based Path Validation, AKA BGPsec, a future technology still
    being designed [draft-ietf-sidr-bgpsec-overview], uses the full
    crypto information of the RPKI to make up for the embarrassing
    mistake that, like much of the internet BGP was designed with no
    thought to securing the BGP protocol itself from being
    gamed/violated.  It allows a receiver of a BGP announcement to
    cryptographically validate that the autonomous systems through which
    the announcement passed were indeed those which the sender/forwarder
    at each hop intended.

Sorry to drone on, but these three really need to be differentiated.


More information about the NANOG mailing list