On 13 Nov 2018, at 13:50, Paul Wilkins wrote:
> If RPKI only had the same chain of trust for in-addr.arpa as the rest > of DNS does back to iana. Strong route origin policies via RPKI, plus draft-azimov-sidrops-aspa-verification-01 & draft-ietf-grow-rpki-as-cones-00 are ultimately the way to solve this relatively automagically. In the interim, BCPs and working with major transits to update them with valid upstream/peer paths so that they can construct AS_PATH filters are a key defensive measure, as are all the other route-filtering BCPs, as you note. And we need BGP-speaker vendors to implement RFC8212 as a safeguard. -------------------------------------------- Roland Dobbins <[email protected]> _______________________________________________ AusNOG mailing list [email protected] http://lists.ausnog.net/mailman/listinfo/ausnog
