[safnog] RPKI discussions

Patrick Okui pokui at psg.com
Mon Apr 13 08:56:43 UTC 2015


Hi Frank,

On  12-Apr-2015 10:33:01 (+0300), Frank Habicht wrote:
> So I'd like to say: this whole local-pref reduction is good for what....?
> Seems to me like the prefixes still make it everywhere they want to go,
> upstream, downstream, RIB, FIB, ...
> 
> Is it for testing?
> pro-bono bug chasing for the vendors?
> Or is this a case of false advertising?

In addition to the responses you have so far it's important to realise
that RPKI is a lot like DNSSEC or uRPF. It only really works when we all
implement it. And yes it's new enough that fairly serious bugs exist in
many major vendors code.

As long as we're still at the point where many invalid prefixes are
actually valid due to network engineer errors it is infeasible for
network operators to blindly drop those prefixes. End-sites maybe.

However, if you have published ROAs for your 'net correctly and someone
hijacks a prefix of yours.

1. It is very easy to detect (non repudiation aspect of crypto and all that)
2. You can very easily convince any upstreams who are running rPKI to
drop the invalid prefix(es) that should originate from your AS.

Some people I know are playing around with programatically dropping
invalid prefixes that should originate from a list of "well behaved
ASes" (say from the output of bgpmon) but that's really stop-gap.

--
patrick

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 244 bytes
Desc: OpenPGP digital signature
URL: <http://lists.safnog.org/pipermail/safnog/attachments/20150413/169ebb82/attachment.bin>


More information about the safnog mailing list