[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[safnog] RPKI discussions

Hi Frank,

On  12-Apr-2015 10:33:01 (+0300), Frank Habicht wrote:
> So I'd like to say: this whole local-pref reduction is good for what....?
> Seems to me like the prefixes still make it everywhere they want to go,
> upstream, downstream, RIB, FIB, ...
> Is it for testing?
> pro-bono bug chasing for the vendors?
> Or is this a case of false advertising?

In addition to the responses you have so far it's important to realise
that RPKI is a lot like DNSSEC or uRPF. It only really works when we all
implement it. And yes it's new enough that fairly serious bugs exist in
many major vendors code.

As long as we're still at the point where many invalid prefixes are
actually valid due to network engineer errors it is infeasible for
network operators to blindly drop those prefixes. End-sites maybe.

However, if you have published ROAs for your 'net correctly and someone
hijacks a prefix of yours.

1. It is very easy to detect (non repudiation aspect of crypto and all that)
2. You can very easily convince any upstreams who are running rPKI to
drop the invalid prefix(es) that should originate from your AS.

Some people I know are playing around with programatically dropping
invalid prefixes that should originate from a list of "well behaved
ASes" (say from the output of bgpmon) but that's really stop-gap.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 244 bytes
Desc: OpenPGP digital signature
URL: <http://lists.safnog.org/pipermail/safnog/attachments/20150413/169ebb82/attachment.bin>