On Tue, Sep 18, 2018 at 12:04 PM Owen DeLong <[email protected]> wrote:
> > > On Sep 18, 2018, at 11:06 AM, Christopher Morrow <[email protected]> > wrote: > > > > On Tue, Sep 18, 2018 at 10:36 AM Job Snijders <[email protected]> wrote: > >> Owen, >> >> On Tue, Sep 18, 2018 at 10:23:42AM -0700, Owen DeLong wrote: >> > Personally, since all RPKI accomplishes is providing a >> > cryptographically signed notation of origin ASNs that hijackers should >> > prepend to their announcements in order to create an aura of >> > credibility, I think we should stop throwing resources down this >> > rathole. >> I think you underestimate how valuable RPKI based Origin Validation >> (even just by itself) is in today's Internet landscape. >> >> If you are aware of other efforts or more fruitful approaches please let >> us know. >> >> > Perhaps said another way: > > "How would you figure out what prefixes your bgp peer(s) should be sending > you?" > (in an automatable, and verifiable manner) > > -chris > > > In theory, that’s what IRRs are for. > > it's not worked out so far. there's no real authorization/authentication of note on the data set via the irr. you have no real way of knowing that 'as12 should be announcing 157.130.0.0/16' ... except by chasing the arin/ripe/etc records today, something that those orgs stamp and which machines could validate without people using eyeballs would sure be nice... Oh, that's what RPKI is supposed to provide. > In practice, while they offer better theoretical capabilities if stronger > authentication were added, the current implementation and acceptance leaves > much to be desired. > and has for approximately 30 yrs... I don't imagine magically it's going to get better in the next 30 either. > > However, even in theory, RPKI offers nothing of particular benefit even in > its best case of widespread implementation. > > "rir says owen can originate route FOO" "ROA for 157.130.1.0/24 says OWEN can originate" those seem like valuable pieces of information. Especially since I can know this through some machine parseable fashion. -chris > Owen > >
