[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

deploying RPKI based Origin Validation

Subject: deploying RPKI based Origin Validation
From: mark.tinka at seacom.mu (Mark Tinka)
Date: Sat, 14 Jul 2018 06:54:35 +0200
In-reply-to: <CACWOCC-r-FY1Wa7-kbF0TAtDYD+uqu=_szney7TtD1XJ5iYKng@mail.gmail.com>
References: <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <CAL9jLaYExYkkZnCFHXKp_khzdc62W04UbukDbgGsjBuoiQ4CTA@mail.gmail.com> <CACWOCC-r-FY1Wa7-kbF0TAtDYD+uqu=_szney7TtD1XJ5iYKng@mail.gmail.com>

On 13/Jul/18 18:37, Job Snijders wrote:

> That is exactly what I mean. Because of the golden rule "most-specific
> always wins" (and parts of the AS_PATH are pretty easy to spoof) it
> only makes sense to me to completely reject invalid routes.

Exactly my preference, and exactly what we did for 2 years. But in
practice, customers don't really like this, nor does your CFO.

We need mass deployment for this to work effectively, and also a bit
more education for those that sign aggregates but not the more-specifics.

Mark.

References:
- deploying RPKI based Origin Validation
  - From: job at ntt.net (Job Snijders)
- deploying RPKI based Origin Validation
  - From: mark.tinka at seacom.mu (Mark Tinka)
- deploying RPKI based Origin Validation
  - From: job at ntt.net (Job Snijders)
- deploying RPKI based Origin Validation
  - From: mark.tinka at seacom.mu (Mark Tinka)
- deploying RPKI based Origin Validation
  - From: gtaylor at tnetconsulting.net (Grant Taylor)
- deploying RPKI based Origin Validation
  - From: morrowc.lists at gmail.com (Christopher Morrow)
- deploying RPKI based Origin Validation
  - From: job at instituut.net (Job Snijders)

Prev by Date: deploying RPKI based Origin Validation
Next by Date: deploying RPKI based Origin Validation
Previous by thread: deploying RPKI based Origin Validation
Next by thread: deploying RPKI based Origin Validation
Index(es):
- Date
- Thread