Hi, (please see inline) On Sat, 23 Mar 2019, Ronald F. Guilmette wrote:
In message <be3751fd-3b12-b73b-71ec-8f012191161f@foobar.org>, Nick Hilliard <nick@foobar.org> wrote:
RPKI adoption is now taking off in a big way - see AT&T's recent announcement and NTT's plans. Commoditisation of RPKI support for IXP route servers will be available within weeks.
The AT&T announcement was indeed heartening.
Can you see if you can drag a few IXP people into this conversation (please)?
Nick is part of "IXP people" afaik for a long time. I am too, although i'm more into the "IXP security people" set nowadays :-) In general, i think IXP people will do everything they can to minimize hijacker's goals, especially if they receive a complaint from customer X saying customer Z is hijacking a prefix and they are announcing it to customer X (and possibly other customers). That's where RPKI and route servers get into the picture -- if hijacked prefix announcements were not made directly, RPKI on route servers might stop those announcements, and even if RPKI is not applied on route servers, they could hold the proof that an hijack was made. But the main point here about 2019-03 is that RPKI on route servers, or even recording all announcements through route servers will not happen overnight, and it will not solve hijacks made through direct peerings where the receiving end is not discarding the "bad prefix" through RPKI. Again, there are tools with enough maturity than can be used to protect each and every of the 60000+ ASNs from hijacks, but the "issue" between the chair and a keyboard makes something in the line of 2019-03 still needed.
If they all say that this proposal is pointless, and that the problem will be essentially solved in time for Vappu, then it probably would then be a reasonable choice to set this on the back burner, just for a bit, to see how things really shake out.
I think we all understand that just because RPKI support may be available, that doesn't mean that anybody who hasn't already done so is actually going to deploy it. So it would be Good to hear what the actual plans are.
Essentially agreeing with Ronald, i think anyone could also argue that people without the ability to use RPKI shouldn't be playing the BGP game, but i certainly prefer to think that intentional and persistens hijackers shouldn't be allowed (by the community) to keep playing the BGP game. :-) Best Regards, Carlos
Regards, rfg