Re: RPKI for dummies

2020-08-24 Thread Randy Bush
> Some might suggest that a lot of time was spent debating how to do it > with little actual progress or experimentation done. this is the internet. some have suggested pretty much anything. for the historians in the audience, the first s-bgp, what we would now call testathon i guess, was held

Re: RPKI for dummies

2020-08-24 Thread Rayhaan Jaufeerally (NANOG)
[sorry if you're getting this twice, I accidentally sent from the wrong address and it was rejected from the list] Hi Dovid, BGPSEC (as specified in RFC8205 ) is the next level of routing security which provides the kind of in-band guarantees that you

Re: RPKI for dummies

2020-08-24 Thread Robert Raszuk
Sure thing :) Btw my point was to avoid the potential impression that origin validation brings any real security to bgp. Cheers, R. On Mon, Aug 24, 2020 at 3:12 PM John Kristoff wrote: > On Mon, 24 Aug 2020 13:01:15 + > Robert Raszuk wrote: > > > I would not say that either S-BGP nor

Re: RPKI for dummies

2020-08-24 Thread John Kristoff
On Mon, 24 Aug 2020 13:01:15 + Robert Raszuk wrote: > I would not say that either S-BGP nor so-BGP were precursors to BGP > origin validation ( I am assuming this is what you are referring to > as "system we have today"). I would consider origin validation as just one application of the

Re: RPKI for dummies

2020-08-24 Thread Robert Raszuk
John, > Two precursors to the system we have today. I would not say that either S-BGP nor so-BGP were precursors to BGP origin validation ( I am assuming this is what you are referring to as "system we have today"). If I recall, securing BGP and validating src ASN were independent projects both

Re: RPKI for dummies

2020-08-24 Thread John Kristoff
On Sun, 23 Aug 2020 12:40:19 + Dovid Bender wrote: > Ok. So here is another n00b question. Why don't we have something > where when we advertise IP space we also pass along a cert [...] Take a look at: Stephen Kent, Charles Lynn, and Karen Seo. 2000. Secure border gateway protocol

Re: RPKI for dummies

2020-08-23 Thread Randy Bush
> To John and the others that have responded thanks for all the > explanations. It makes things a lot clearer now. ripe/ncc and isoc/manrs have some gl!tzich webinarz etc on all this randy

Re: RPKI for dummies

2020-08-23 Thread Dovid Bender
To John and the others that have responded thanks for all the explanations. It makes things a lot clearer now. On Thu, Aug 20, 2020 at 10:15 AM John Kristoff wrote: > On Thu, 20 Aug 2020 13:20:53 + > Dovid Bender wrote: > > > How do ISP's that receive my advertisement (either directly from

Re: RPKI for dummies

2020-08-23 Thread Dovid Bender
Ok. So here is another n00b question. Why don't we have something where when we advertise IP space we also pass along a cert that can independently be verified by going back to the RIR to see if that cert was signed by them. This would also stop someone spoofing my ASN. On Thu, Aug 20, 2020 at

Re: RPKI for dummies

2020-08-20 Thread Tom Beecher
ROA = Route Origin Authorization . Origin is the key word. When you create an signed ROA and do all the publishing bits, RPKI validator software will retrieve that , validate the signature, and pass that up to routers, saying "This prefix range that originates from this ASN is valid." Then, any

Re: RPKI for dummies

2020-08-20 Thread John Kristoff
On Thu, 20 Aug 2020 13:20:53 + Dovid Bender wrote: > How do ISP's that receive my advertisement (either directly from me, > meaning my upstreams or my upstreams upstream) verify against the > cert that the advertisement is coming from me? Nothing about your BGP announcements needs to

Re: RPKI for dummies

2020-08-20 Thread Fabien VINCENT (NaNOG) via NANOG
If the other AS announce the same resource, AS Path Length should be perhaps longer will prefix length is the same. RPKI is just here to secure resource announcement verification (ROV). Nothing more in my own opinion. You could read this RFC for RPKI OPs :

Re: RPKI for dummies

2020-08-20 Thread Eric Dugas via NANOG
Here's some more literature: https://blog.cloudflare.com/rpki-and-the-rtr-protocol/ Eric On Aug 20 2020, at 10:00 am, Dovid Bender wrote: > Fabien, > > Thanks. So to sum it up there is nothing stopping a bad actor from > impersonating me as if I am BGP'ing with them. It's to stop any other AS

Re: RPKI for dummies

2020-08-20 Thread Dovid Bender
Fabien, Thanks. So to sum it up there is nothing stopping a bad actor from impersonating me as if I am BGP'ing with them. It's to stop any other AS other then mine from advertising my IP space. Is that correct? How is verification done? They connect to the RIR and verify that there is a cert

Re: RPKI for dummies

2020-08-20 Thread Fabien VINCENT (NaNOG) via NANOG
Hi, In fact, RPKI does nothing about AS Path checks if it's your question. RPKI is based on ROA where signatures are published to guarantee you're the owner of a specific prefix with optionnal different maxLength from your ASN. So if the question is about if RPKI is sufficient to secure the

RPKI for dummies

2020-08-20 Thread Dovid Bender
Hi, I am sorry for the n00b question. Can someone help point me in the right direction to understand how RPKI works? I understand that from my side that I create a key, submit the public portion to ARIN and then send a signed request to ARIN asking them to publish it. How do ISP's that receive my