Re: Reaching out to ARIN members about their RPKI INVALID prefixes

Seems to me that another logical way to work on cleaning-up invalids would be for those that want to perform validation to contact their direct peers with invalids, though even those contacts can become stale there will be some that are still valid and usually involve those intimately intereste

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

tor. 20. sep. 2018 02.56 skrev Owen DeLong : > > Again, unless you can trust the data in the IRR to build a complete list > of valid AS Paths from the ORIGIN, you can’t safely reject a fake route > that has the correct prepend. > Or you can have each hob validate. For example if HE.net did RPKI

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

Owen, You are correct in that RPKI leaves many problems unsolved. One that it does solve is prefix splitting. If I issue a ROA for prefix 10.1.2.0/23, any announcement of 10.1.2.0/24 (including mine) will be declared INVALID, because that announcement is covered by the ROA and the mask length i

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

Looks like a certain CDN has volunteered to do that for you. Owen > On Sep 19, 2018, at 01:19 , Job Snijders wrote: > > On Wed, Sep 19, 2018 at 01:07:42AM -0700, Christopher Morrow wrote: >>> it is about whether it is acceptable that RIRs (and more >>> specifically ARIN in this mailing list's

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

> On Sep 19, 2018, at 00:46 , nusenu wrote: > > Owen DeLong: >> Personally, since all RPKI accomplishes is providing a >> cryptographically signed notation of origin ASNs that hijackers >> should prepend to their announcements in order to create an aura of >> credibility, I think we should sto

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

> On Sep 19, 2018, at 8:55 PM, Owen DeLong wrote: > > Actually, from my perspective, neither one is practical/useful due to the > lack of supporting data to achieve it. I suggest you look at some of the cool research that was done with various prefixes from different regions. You can see t

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

> On Sep 19, 2018, at 00:44 , Job Snijders wrote: > > On Tue, Sep 18, 2018 at 06:18:00PM -0700, Owen DeLong wrote: >> That depends. If you ONLY allow the maintainer of NET-192.159.10.0/24 >> to update the route objects for it, then the word ONLY is effectively >> present by the lack of any oth

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

> On Sep 18, 2018, at 21:29 , Christopher Morrow > wrote: > > > > On Tue, Sep 18, 2018 at 6:22 PM Owen DeLong > wrote: > > > > On Sep 18, 2018, at 15:07 , Job Snijders > > wrote: > > > > On Tue, Sep 18, 2018 at 02:44:30PM -0700, Owen DeLong w

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

On 18 Sep 2018, at 1:23 PM, Owen DeLong wrote: > > Personally, since all RPKI accomplishes is providing a cryptographically > signed notation of origin ASNs that hijackers should prepend to their > announcements in order to create an aura of credibility, I think we should > stop throwing resou

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

There's a lot to sift through in this thread (most of all assertions lacking evidence), but this needs to be called out: On Tue, Sep 18, 2018 at 06:21:56PM -0700, Owen DeLong wrote: [snip] > Point being that there are very very few ASNs using peer lock. Peer lock Despite the cutesy neologism,

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

Phil Lavin: > That said, having recently done this with ARIN... they've got a long > way to go before it's a simple process (like RIPE). Submitting > numerous tickets over a 3 day period doesn't strike me as > particularly efficient. > If outreach was done and widely taken up, I just want to r

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

> On 19 Sep 2018, at 10:37, Christopher Morrow wrote: > > > > On Wed, Sep 19, 2018 at 1:33 AM Phil Lavin wrote: > > What about an one-off outreach effort? > >> Makes sense to me. As someone who (at least pretends to) care, I was very >> much unaware of RPKI before seeing discussion about i

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

Christopher Morrow wrote: > This seems bad, at first blush, but you will not always be here to offer > these recalcitrant folk a pointer to how to fix themselves that is correct but I don't expect that (to be around forever) to be necessary, once the amount of invalids are low, big operators coul

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

On Wed, Sep 19, 2018 at 1:33 AM Phil Lavin wrote: > > What about an one-off outreach effort? > > Makes sense to me. As someone who (at least pretends to) care, I was very > much unaware of RPKI before seeing discussion about it on NANOG and #ix. > > That said, having recently done this with ARIN.

RE: Reaching out to ARIN members about their RPKI INVALID prefixes

> What about an one-off outreach effort? Makes sense to me. As someone who (at least pretends to) care, I was very much unaware of RPKI before seeing discussion about it on NANOG and #ix. That said, having recently done this with ARIN... they've got a long way to go before it's a simple process

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

On Wed, Sep 19, 2018 at 1:19 AM Job Snijders wrote: > On Wed, Sep 19, 2018 at 01:07:42AM -0700, Christopher Morrow wrote: > > > it is about whether it is acceptable that RIRs (and more > > > specifically ARIN in this mailing list's context) notify affected > > > parties of their prefixes that suf

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

On Wed, Sep 19, 2018 at 01:07:42AM -0700, Christopher Morrow wrote: > > it is about whether it is acceptable that RIRs (and more > > specifically ARIN in this mailing list's context) notify affected > > parties of their prefixes that suffer from stale ROAs. > > This I still think is a bad plan.. m

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

On Wed, Sep 19, 2018 at 12:51 AM nusenu wrote: > Owen DeLong: > > Personally, since all RPKI accomplishes is providing a > > cryptographically signed notation of origin ASNs that hijackers > > should prepend to their announcements in order to create an aura of > > credibility, I think we should s

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

> > in which case MD5 passwords on your BGP sessions pretty much > > accomplishes the same thing with a lot less kerfuffle. > > > oh gosh, sorry I missed this in the previous conversation... for folk following along at home: TCP-MD5 is really REALLY just: "better CRC(checksum)" on your BGP sess

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

Owen DeLong: > Personally, since all RPKI accomplishes is providing a > cryptographically signed notation of origin ASNs that hijackers > should prepend to their announcements in order to create an aura of > credibility, I think we should stop throwing resources down this > rathole. regardless of

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

On Tue, Sep 18, 2018 at 06:18:00PM -0700, Owen DeLong wrote: > That depends. If you ONLY allow the maintainer of NET-192.159.10.0/24 > to update the route objects for it, then the word ONLY is effectively > present by the lack of any other route objects. Ah, so you are now applying the RPKI Origin

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

On Tue, Sep 18, 2018 at 6:22 PM Owen DeLong wrote: > > > > On Sep 18, 2018, at 15:07 , Job Snijders wrote: > > > > On Tue, Sep 18, 2018 at 02:44:30PM -0700, Owen DeLong wrote: > >> ROAs are useful for one hop level validation. At the second AS hop > >> they are 100% useless. > > > > This convers

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

> On Sep 18, 2018, at 15:07 , Job Snijders wrote: > > On Tue, Sep 18, 2018 at 02:44:30PM -0700, Owen DeLong wrote: >> ROAs are useful for one hop level validation. At the second AS hop >> they are 100% useless. > > This conversation cannot be had without acknowledging there are multiple > lay

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

> On Sep 18, 2018, at 14:58 , Job Snijders wrote: > > On Tue, Sep 18, 2018 at 02:35:44PM -0700, Owen DeLong wrote: >>> "rir says owen can originate route FOO" >>> "ROA for 157.130.1.0/24 says OWEN can originate" >> >> Nope… ROA says (e.g.) AS1734 (or anyone willing to impersonate AS1734) >> c

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

On Tue, Sep 18, 2018 at 4:54 PM nusenu wrote: > > Christopher Morrow wrote: > >>> Yes that is what I had in mind (notification via email to the tech > >>> contact). > >>> > >>> > >> i'm positive that will end in sadness. > > > > we can also send snail mail :) > > after all ~80 or so entities is a

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

> Christopher Morrow wrote: >>> Yes that is what I had in mind (notification via email to the tech >>> contact). >>> >>> >> i'm positive that will end in sadness. > > we can also send snail mail :) > after all ~80 or so entities is a manageable amount of organizations to > notify in the ARIN regio

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

On Tue, Sep 18, 2018 at 02:44:30PM -0700, Owen DeLong wrote: > ROAs are useful for one hop level validation. At the second AS hop > they are 100% useless. This conversation cannot be had without acknowledging there are multiple layers of defense in securing BGP. We should also acknowledge that the

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

Christopher Morrow: >> Yes that is what I had in mind (notification via email to the tech >> contact). >> >> > i'm positive that will end in sadness. we can also send snail mail :) after all ~80 or so entities is a manageable amount of organizations to notify in the ARIN region. -- https://twi

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

On Tue, Sep 18, 2018 at 02:35:44PM -0700, Owen DeLong wrote: > > "rir says owen can originate route FOO" > > "ROA for 157.130.1.0/24 says OWEN can originate" > > Nope… ROA says (e.g.) AS1734 (or anyone willing to impersonate AS1734) > can originate 192.159.10.0/24. I'd phrase slightly different (

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

> On Sep 18, 2018, at 2:34 PM, Job Snijders wrote: > > On Tue, Sep 18, 2018 at 12:04:19PM -0700, Owen DeLong wrote: >>> Perhaps said another way: >>> >>> "How would you figure out what prefixes your bgp peer(s) should be sending >>> you?" >>> (in an automatable, and verifiable manner) >>

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

On Tue, Sep 18, 2018 at 2:32 PM Owen DeLong wrote: > > > On Sep 18, 2018, at 2:15 PM, Christopher Morrow > wrote: > > > > On Tue, Sep 18, 2018 at 1:33 PM nusenu wrote: > >> Christopher Morrow wrote: >> > Perhaps this was answered elsewhere, but: "Why is this something >> > ARIN (the org) should

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

> > "rir says owen can originate route FOO" > "ROA for 157.130.1.0/24 says OWEN can originate" > Nope… ROA says (e.g.) AS1734 (or anyone willing to impersonate AS1734) can originate 192.159.10.0/24. > those seem like valuable pieces of information. Especially since I c

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

On Tue, Sep 18, 2018 at 12:04:19PM -0700, Owen DeLong wrote: > > Perhaps said another way: > > > > "How would you figure out what prefixes your bgp peer(s) should be sending > > you?" > >(in an automatable, and verifiable manner) > > In theory, that’s what IRRs are for. You may be overlook

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

On Tue, Sep 18, 2018 at 12:04 PM Owen DeLong wrote: > > > On Sep 18, 2018, at 11:06 AM, Christopher Morrow > wrote: > > > > On Tue, Sep 18, 2018 at 10:36 AM Job Snijders wrote: > >> Owen, >> >> On Tue, Sep 18, 2018 at 10:23:42AM -0700, Owen DeLong wrote: >> > Personally, since all RPKI accompli

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

> On Sep 18, 2018, at 2:15 PM, Christopher Morrow > wrote: > > > > On Tue, Sep 18, 2018 at 1:33 PM nusenu > wrote: > Christopher Morrow wrote: > > Perhaps this was answered elsewhere, but: "Why is this something > > ARIN (the org) should take on?" > > Thanks

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

> On Sep 18, 2018, at 12:09 PM, Jared Mauch wrote: > > > >> On Sep 18, 2018, at 3:04 PM, Owen DeLong wrote: >> >> >> >>> On Sep 18, 2018, at 11:06 AM, Christopher Morrow >>> wrote: >>> >>> >>> >>> On Tue, Sep 18, 2018 at 10:36 AM Job Snijders wrote: >>> Owen, >>> >>> On Tue, Sep 1

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

On Tue, Sep 18, 2018 at 1:33 PM nusenu wrote: > Christopher Morrow wrote: > > Perhaps this was answered elsewhere, but: "Why is this something > > ARIN (the org) should take on?" > > Thanks for this question, I believe this is an important one. > > I reasoned about why I think RIRs are in a good

RE: Reaching out to ARIN members about their RPKI INVALID prefixes

> nusenu wrote : > What do you think about the idea that ARIN actively informs their affected > members about prefixes that are unreachable in an RPKI ROV environment? Support, although I doubt it would achieve the desired result. I support it for the following reason : when someone starts to bl

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

Christopher Morrow wrote: > Perhaps this was answered elsewhere, but: "Why is this something > ARIN (the org) should take on?" Thanks for this question, I believe this is an important one. I reasoned about why I think RIRs are in a good position to send these emails here: [1] but I will quote fr

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

> On Sep 18, 2018, at 3:04 PM, Owen DeLong wrote: > > > >> On Sep 18, 2018, at 11:06 AM, Christopher Morrow >> wrote: >> >> >> >> On Tue, Sep 18, 2018 at 10:36 AM Job Snijders wrote: >> Owen, >> >> On Tue, Sep 18, 2018 at 10:23:42AM -0700, Owen DeLong wrote: >> > Personally, since all

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

> On Sep 18, 2018, at 10:35 AM, Job Snijders wrote: > > Owen, > > On Tue, Sep 18, 2018 at 10:23:42AM -0700, Owen DeLong wrote: >> Personally, since all RPKI accomplishes is providing a >> cryptographically signed notation of origin ASNs that hijackers should >> prepend to their announcements i

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

> On Sep 18, 2018, at 11:06 AM, Christopher Morrow > wrote: > > > > On Tue, Sep 18, 2018 at 10:36 AM Job Snijders > wrote: > Owen, > > On Tue, Sep 18, 2018 at 10:23:42AM -0700, Owen DeLong wrote: > > Personally, since all RPKI accomplishes is providing a > > cryptograp

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

(popping back to the top of the thread.. sorry) On Tue, Sep 18, 2018 at 7:58 AM nusenu wrote: > Dear NANOG, > > when I approached ARIN about how they feel about reaching out to their > members about > prefixes that are unreachable in a route origin validation (ROV) > environment, > John Curran (

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

On Tue, Sep 18, 2018 at 10:36 AM Job Snijders wrote: > Owen, > > On Tue, Sep 18, 2018 at 10:23:42AM -0700, Owen DeLong wrote: > > Personally, since all RPKI accomplishes is providing a > > cryptographically signed notation of origin ASNs that hijackers should > > prepend to their announcements in

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

Owen, On Tue, Sep 18, 2018 at 10:23:42AM -0700, Owen DeLong wrote: > Personally, since all RPKI accomplishes is providing a > cryptographically signed notation of origin ASNs that hijackers should > prepend to their announcements in order to create an aura of > credibility, I think we should stop

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

t outreach/notification would be > - to reduce the number of broken legacy ROAs from the past > - reduce the negative impact on reachability of affected members. > > looking forward to receiving your feedback! > > kind regards, > nusenu > > > > > [1] htt

Reaching out to ARIN members about their RPKI INVALID prefixes

. looking forward to receiving your feedback! kind regards, nusenu [1] https://medium.com/@nusenu/towards-cleaning-up-rpki-invalids-d69b03ab8a8c John Curran wrote: > Subject: Reaching out to ARIN members about their RPKI INVALID prefixes > > Nusenu - > > Thank you for wri