Here's some more literature: https://blog.cloudflare.com/rpki-and-the-rtr-protocol/
Eric On Aug 20 2020, at 10:00 am, Dovid Bender <do...@telecurve.com> wrote: > Fabien, > > Thanks. So to sum it up there is nothing stopping a bad actor from > impersonating me as if I am BGP'ing with them. It's to stop any other AS > other then mine from advertising my IP space. Is that correct? How is > verification done? They connect to the RIR and verify that there is a cert > signed by the RIR for my range? > > > > On Thu, Aug 20, 2020 at 9:51 AM Fabien VINCENT (NaNOG) via NANOG > <nanog@nanog.org (mailto:nanog@nanog.org)> wrote: > > Hi, > > > > In fact, RPKI does nothing about AS Path checks if it's your question. RPKI > > is based on ROA where signatures are published to guarantee you're the > > owner of a specific prefix with optionnal different maxLength from your ASN. > > So if the question is about if RPKI is sufficient to secure the whole BGP > > path, well, it's not. RPKI guarantee / permit only to verify the ressource > > announcements (IPvX block) is really owned by your ASN. But even if it's > > not sufficient, we need to deploy it to start securing resources', not the > > whole path. > > Don't know if it replies to your question, but you can read also the pretty > > good documentation on RPKI here : > > https://rpki.readthedocs.io/en/latest/rpki/introduction.html or the > > corresponding RFC ;) > > Le 20-08-2020 15:20, Dovid Bender a écrit : > > > Hi, > > > > > > I am sorry for the n00b question. Can someone help point me in the right > > > direction to understand how RPKI works? I understand that from my side > > > that I create a key, submit the public portion to ARIN and then send a > > > signed request to ARIN asking them to publish it. How do ISP's that > > > receive my advertisement (either directly from me, meaning my upstreams > > > or my upstreams upstream) verify against the cert that the advertisement > > > is coming from me? If say we have > > > Medium ISP (AS1000) -> Large ISP (AS200) > > > in the above case AS200 know it's peering with AS1000 so it will take all > > > advertisements. What's stopping AS1000 from adding a router to their > > > network to impersonate me, make it look like I am peering with them and > > > then they re-advertise the path to Large ISP? > > > > > > Again sorry for the n00b question, I am trying to make sense of how it > > > works. > > > > > > TIA. > > > > > > Dovid > > > > > > > > > > > > > -- > > Fabien VINCENT > > @beufanet > > > > > >
