nanog mailing list archives
Re: "Is BGP safe yet?" test
From: Randy Bush <randy () psg com>
Date: Tue, 21 Apr 2020 04:42:22 -0700
essentially agree. my pedantic quibble is that i would like to differentiate between the RPKI, which is a database, and ROV, which uses it.And I think that is a very important distinction to be clear about. Right now, it's not completely arrest-worthy to use RPKI and ROV interchangeably, but I think considering that other use-cases might come from the database itself in the future, being explicit about it and how it can be used is appropriate pedantry.
i have been pushing this rock uphill for over a decade. to expand, a
bit of text from long ago, so hence a bit out of date, but still clear
RPKI
The RPKI is an X.509 based hierarchy [RFC 6481] which is congruent
with the internet IP address allocation administration, the IANA,
RIRs, ISPs, ... It is just a database, but is the substrate on
which the next two mechanisms are based. It is currently deployed
in all five administrative regions.
RPKI-based Origin Validation (ROV)
RPKI-based Origin Validation [RFC 6811] uses some of the RPKI data
to allow a router to verify that the autonomous system originating
an IP address prefix is in fact authorized to do so. This is not
crypto checked so can be violated. But it should prevent the vast
majority of accidental 'hijackings' on the internet today, e.g. the
famous Pakistani accidental announcement of YouTube's address space.
RPKI-based origin validation is in shipping code from AlcaLu, Cisco,
Juniper, and possibly others.
BGPsec
RPKI-based Path Validation, AKA BGPsec, a future technology still
being designed [draft-ietf-sidr-bgpsec-overview], uses the full
crypto information of the RPKI to make up for the embarrassing
mistake that, like much of the internet BGP was designed with no
thought to securing the BGP protocol itself from being
gamed/violated. It allows a receiver of a BGP announcement to
cryptographically validate that the autonomous systems through which
the announcement passed were indeed those which the sender/forwarder
at each hop intended.
currently, bgosec still has no traction. there are other proposals in
the space, e.g. ASPA. but the point is that they USE the rpki, they are
not the rpki.
randy
Current thread:
- Re: "Is BGP safe yet?" test, (continued)
- Re: "Is BGP safe yet?" test Mark Tinka (Apr 20)
- Re: "Is BGP safe yet?" test Randy Bush (Apr 20)
- Re: "Is BGP safe yet?" test Amir Herzberg (Apr 20)
- Re: "Is BGP safe yet?" test Job Snijders (Apr 20)
- Re: "Is BGP safe yet?" test Baldur Norddahl (Apr 20)
- Re: "Is BGP safe yet?" test Saku Ytti (Apr 20)
- Re: "Is BGP safe yet?" test Baldur Norddahl (Apr 20)
- Re: "Is BGP safe yet?" test Andrey Kostin (Apr 21)
- Re: "Is BGP safe yet?" test Randy Bush (Apr 21)
- Re: "Is BGP safe yet?" test Mark Tinka (Apr 21)
- Re: "Is BGP safe yet?" test Randy Bush (Apr 21)
- Re: "Is BGP safe yet?" test Cummings, Chris (Apr 20)
- Re: "Is BGP safe yet?" test Tom Beecher (Apr 20)
- Re: "Is BGP safe yet?" test Mark Tinka (Apr 20)
- Re: "Is BGP safe yet?" test Tom Beecher (Apr 20)
- Re: "Is BGP safe yet?" test Mark Tinka (Apr 20)
- Re: "Is BGP safe yet?" test Andrey Kostin (Apr 20)
- Re: "Is BGP safe yet?" test Denys Fedoryshchenko (Apr 20)
- Re: "Is BGP safe yet?" test Rubens Kuhl (Apr 20)
- Re: "Is BGP safe yet?" test Denys Fedoryshchenko (Apr 20)