[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

"Is BGP safe yet?" test

On Mon, Apr 20, 2020 at 12:25 PM Tom Beecher <beecher at beecher.cc> wrote:
> Technical people need to make the business case to management for RKPI by laying out what it would cost to implement (equipment, resources, ongoing opex), and what the savings are to the company from protecting themselves against hijacks. By taking this step, I believe RPKI will become viewed by non-technical decision makers as a 'Cloudflare initiative' instead of a 'good of the internet' initiative, especially by some companies who compete with Cloudflare in the CDN space.

you say here: "RPKI"
but the cloudflare thing is a little bit more nuanced than that, right?
'RPKI" is really: "Did you sign ROA for your IP Number Resources?"
what you do with the RPKI data is the 'more nuanced' part of the webpage.
   1) Do you just sign?
   2) do you sign  and also do Origin Validation(OV) for your peers?
   3) do you just do OV and not sign your own IP Number Resources?

I think CloudFlare (and other folk doing bgp security work) would like
'everyone' to:
  1) sign ROA for their IP number resources
  2) enable OV on your peerings
  3) prefix filter all of your peerings

> I believe that will change the calculus and make it a more difficult sell for technical people to get resources approved to make it happen.

I don't think that's the case... but I'm sure we'll be proven wrong :)