On 20 Jan 2012, at 10:38, Yang Xiang wrote:
> RPKI is great.
>
> But, firstly, ROA doesn't cover all the prefixes now,
> we need an alternative service to alert hijackings.
Or to sign your prefixes.
>
> secondly, ROA can only secure the 'Origin AS' of a prefix,
That's true.
> while Argus can discover potential hijackings caused by anomalous AS path.
Can you explain how?
>
> After ROA and BGPsec deployed in the entire Internet (or, in all of your
> network),
> Argus will stop the service :)
I was just suggesting to add a more deterministic way to detecting
hijacks.
Regards,
as
>
> 2012/1/20 Arturo Servin <[email protected]>
>
> You could use RPKI and origin validation as well.
>
> We have an application that does that.
>
> http://www.labs.lacnic.net/rpkitools/looking_glass/
>
> For example you can periodically check if your prefix is valid:
>
> http://www.labs.lacnic.net/rpkitools/looking_glass/rest/valid/cidr/200.7.84.0/23/
>
> If it were invalid for a possible hijack it would look like:
>
> http://www.labs.lacnic.net/rpkitools/looking_glass/rest/invalid/cidr/200.31.18.0/24/
>
> Or you can just query for any state:
>
> http://www.labs.lacnic.net/rpkitools/looking_glass/rest/all/cidr/200.31.12.0/22/
>
>
>
> Regards,
> as
>
>
>
>
>
> --
> _________________________________________
> Yang Xiang. Ph.D candidate. Tsinghua University
> Argus: argus.csnet1.cs.tsinghua.edu.cn
>
