Fwd: Re: Annoucing supernets in BGP?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I see three ways: 1) RPKI 2) RPKI 3) RPKI
I fully agree! But I ask: where is it used? Obviously nowhere at Tier1/2, otherwise we wouldn't see such a big mess like 80/5 in BGP.. Is it up to me, a XS-provider to start with - while its globally ignored? regards Michael Markstaller Elaborated Networks GmbH www.elabnet.de Lise-Meitner-Str. 1, D-85662 Hohenbrunn, Germany fon: +49-8102-8951-60, fax: +49-8102-8951-80 Geschäftsführer: Stefan Werner, Michael Markstaller Amtsgericht München HRB 125120, Ust-ID: DE201281054 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBPfl0ACgkQaWRHV2kMuALt0wCcChjD/i/09cVhCK5VU7EPABPS RvEAoPVqblShjgKtH1dZK2S4rZC12ACQ =tHEE -----END PGP SIGNATURE-----
As with many new technologies, if we wait for everybody to 'do it', then no one ends up 'doing it'. Definitely this is one of the kind of situations we should use to raise awareness of the technology. regards ~Carlos On 9/11/12 3:09 PM, Michael Markstaller wrote:
I see three ways: 1) RPKI 2) RPKI 3) RPKI
I fully agree! But I ask: where is it used? Obviously nowhere at Tier1/2, otherwise we wouldn't see such a big mess like 80/5 in BGP.. Is it up to me, a XS-provider to start with - while its globally ignored?
regards
Michael Markstaller
Elaborated Networks GmbH www.elabnet.de Lise-Meitner-Str. 1, D-85662 Hohenbrunn, Germany fon: +49-8102-8951-60, fax: +49-8102-8951-80 Geschäftsführer: Stefan Werner, Michael Markstaller Amtsgericht München HRB 125120, Ust-ID: DE201281054
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11.09.2012 20:21, Carlos M. martinez wrote:
As with many new technologies, if we wait for everybody to 'do it', then no one ends up 'doing it'.
Ok, I agree, will do ASAP! But will it help ? I'm not sure if I get larger companies on this track, really.. One example: I'm doing PGP-signing for 14yrs now, nothing changed, the "best" result is proprietary "DE-MAIL".. Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBPjIgACgkQaWRHV2kMuAKuQACfcr4DpYA2wbF1RnLBdBkZDibk 9D4AoKmO23S4PREp0O2Tr3ssCwpuJU1B =2R4i -----END PGP SIGNATURE-----
Hi Michael, On 11 Sep 2012, at 20:09, Michael Markstaller <mm@elabnet.de> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I see three ways: 1) RPKI 2) RPKI 3) RPKI
I fully agree! But I ask: where is it used?
In total, well over a thousand LIRs in the RIPE region have set up RPKI. Together they created ROAs to cover about four /8s worth of IPv4 address space: http://certification-stats.ripe.net/?type=roa-v4u
Obviously nowhere at Tier1/2, otherwise we wouldn't see such a big mess like 80/5 in BGP.. Is it up to me, a XS-provider to start with - while its globally ignored?
Out of the 100 largest LIRs, roughly half has got RPKI enabled, but many of these parties are careful when implementing new technology. There is a lot of testing going on that you can't see on the public Internet, just like LIRs who hold an IPv6 allocation that they don't announce (yet). However, if you point your RPKI Validator at prefixes like 91.0.0.0/10, 82.240.0.0/12 or 84.96.0.0/13, you'll see that it's not all bad news. The big question is when operators will actually start using RPKI Origin Validation in their BGP decision making workflows. It's a complicated question to answer, with many factors involved. Cheers, Alex
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Alex, On 11.09.2012 21:47, Alex Band wrote:
Hi Michael,
On 11 Sep 2012, at 20:09, Michael Markstaller <mm@elabnet.de> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I see three ways: 1) RPKI 2) RPKI 3) RPKI
I fully agree! But I ask: where is it used?
In total, well over a thousand LIRs in the RIPE region have set up RPKI. Together they created ROAs to cover about four /8s worth of IPv4 address space: http://certification-stats.ripe.net/?type=roa-v4u
Obviously nowhere at Tier1/2, otherwise we wouldn't see such a big mess like 80/5 in BGP.. Is it up to me, a XS-provider to start with - while its globally ignored?
Out of the 100 largest LIRs, roughly half has got RPKI enabled, but many of these parties are careful when implementing new technology. There is a lot of testing going on that you can't see on the public Internet, just like LIRs who hold an IPv6 allocation that they don't announce (yet). However, if you point your RPKI Validator at prefixes like 91.0.0.0/10, 82.240.0.0/12 or 84.96.0.0/13, you'll see that it's not all bad news.
The big question is when operators will actually start using RPKI Origin Validation in their BGP decision making workflows. It's a complicated question to answer, with many factors involved.
Thanks for the detailed insights! I will consider implementing RPKI for our resources ASAP. (Though in this case it wouldn't have helped me) I see the clear advantages this has over "just guessing" wether an annoucement might be right or wrong - but there are also some risks due to possible misconfiguration if it's only used by a minority.. Well, as you stated: it's complicated but I'm willing to adopt new and reasonable things like this. best regards Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBQ55sACgkQaWRHV2kMuAJRXACfVCVD/oTPvNHgim228btUkwTQ kvgAnjYAcmif439HdLcdQJO96NvDqukS =Rwcp -----END PGP SIGNATURE-----
participants (3)
-
Alex Band -
Carlos M. martinez -
Michael Markstaller