[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

"Is BGP safe yet?" test

On Mon, Apr 20, 2020 at 2:32 PM Alex Band <alex at nlnetlabs.nl> wrote:
> On 20 Apr 2020, at 19:39, Christopher Morrow <morrowc.lists at gmail.com> wrote:
> >
> > On Mon, Apr 20, 2020 at 12:25 PM Tom Beecher <beecher at beecher.cc> wrote:
> >>
> >> Technical people need to make the business case to management for RKPI by laying out what it would cost to implement (equipment, resources, ongoing opex), and what the savings are to the company from protecting themselves against hijacks. By taking this step, I believe RPKI will become viewed by non-technical decision makers as a 'Cloudflare initiative' instead of a 'good of the internet' initiative, especially by some companies who compete with Cloudflare in the CDN space.
> >
> > you say here: "RPKI"
> > but the cloudflare thing is a little bit more nuanced than that, right?
> > 'RPKI" is really: "Did you sign ROA for your IP Number Resources?"
> > what you do with the RPKI data is the 'more nuanced' part of the webpage.
> >   1) Do you just sign?
> >   2) do you sign  and also do Origin Validation(OV) for your peers?
> >   3) do you just do OV and not sign your own IP Number Resources?
> >
> > I think CloudFlare (and other folk doing bgp security work) would like
> > 'everyone' to:
> >  1) sign ROA for their IP number resources
> >  2) enable OV on your peerings
> >  3) prefix filter all of your peerings
> The page seems very centred around the latter. The shaming is happening around the lack of filtering, not the absence of ROAs. The FAQ talks about â??legitimate routesâ?? but thereâ??s not even a few words on how to actually make a route â??legitimate".
> The push for filtering may be a bit premature given the fact that North America has 7% Canada 3% ROA coverage[1]. Thereâ??s not much point in setting up filters if thereâ??s no data to filter on. One could argue that with filtering an incentive arises to create ROAs, but this is not how things have evolved elsewhere in the world.

So, if we believe that the players here are working in the best
interest of the internet at large:
   how could CloudFlare's page be more helpful? (with respect to
securing the global BGP system)
   how could ISPs (and other internet operations) be more helpful?
(with respect to securing the global BGP system)
   how could users validate if their ISP options are doing all they
can do for their users? (same global bgp system caveat)
    (is this last bit helpful at all to them or to the various options
of ISP for that user?)

Having been trying to get more-better-securer internet for a time
now... happy to hear options :)