On Tue, Sep 18, 2018 at 02:44:30PM -0700, Owen DeLong wrote: > ROAs are useful for one hop level validation. At the second AS hop > they are 100% useless.
This conversation cannot be had without acknowledging there are multiple layers of defense in securing BGP. We should also acknowledge that the majority of Internet traffic passes over AS_PATHs that are only one hop. Networks that exchange significant amounts of traffic, tend to peer directly with each other. > > In other words, RPKI and the Prefix-to-AS validation procedure give > > us much more definitive inputs for routing policies compared to what > > can be derived from the IRR. > > Please explain to me how you distinguish good from bad in the > following scenario… You peer with AS6939. You receive routes for > 2001:db8:f300::/48 with the following AS Paths > > 1. 6939 1239 54049 2312 1734 > 2. 6939 44046 12049 174 1734 > > Which one is valid? Which one is not? How did the ROA tell you this? Both path 1 and 2 are invalid, because of peerlock we'd never accept 1239 behind 6939, or 174 behind 6939. AS_PATH filtering combined with Origin Validation is where the magic is. > > RPKI is useful in context of a defense in depth strategy. If one > > combines "peerlock" AS_PATH filters with origin validation the end > > result is bullet proof. Even if NTT is the only one to deploy this > > combination, the benefits are notable. > > Indeed, if peerlock gets wider deployment, it might prove useful. But > unless I’m really misunderstanding peerlock, I don’t see that RPKI > brings much else to the table in addition. Wide deployment is not relevant, this is a unilateral defense mechanism, so I fear there may indeed be a degree of misunderstanding. Kind regards, Job