[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

"Is BGP safe yet?" test

On Wed, Apr 22, 2020 at 11:45 AM Danny McPherson <danny at tcb.net> wrote:
> On 2020-04-21 12:36, Rubens Kuhl wrote:
> > On Tue, Apr 21, 2020 at 1:10 PM Matt Corallo via NANOG
> > <nanog at nanog.org> wrote:
> >
> >> Thatâ??s an interesting idea. Iâ??m not sure that LACNIC would want
> >> to issue a ROA for RIPE IP space after RIPE issues an AS0 ROA,
> >> though. And youâ??d at least need some kind of time delay to give
> >> other RIRs and operators and chance to discuss the matter before
> >> allowing RIPE to issue the AS0 ROA, eg in my example mitigation
> >> strategy.
> >
> > All 5 RIRs can issue ROAs for all the IP address spaces. They don't as
> > a matter of coordinated operations, but that doesn't prevent court
> > orders determining that to be done.
> Or a miscreant.  [insert-least-favorite-rir] is now part of your attack
> surface.

Or a slip of the keyboard / software ooops / mistake -- but, in spite
of this, I think that RPKI / ROAs / ROV is a good thing; as with
everything, this is an engineering trade off, and to me this feels
well worth it...

I do think that CloudFlare does some great things for the Internet -
they've moved DNSSEC forward immensely, significantly increased the
adoption of HTTPS/TLS, the OctoRPKI/GoRTR stuff is nice and easy,
their hosted RPKI cache, etc -- but their marketing pushes like this
feel overly aggressive.


> -danny

I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.