This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[anti-abuse-wg] 2019-03 and over-reach

Previous message (by thread): [anti-abuse-wg] 2019-03 and over-reach
Next message (by thread): [anti-abuse-wg] 2019-03 and over-reach

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Carlos Friaças cfriacas at fccn.pt
Sun Mar 24 12:18:12 CET 2019

Hi,
(please see inline)

On Sat, 23 Mar 2019, Ronald F. Guilmette wrote:

>
> In message <be3751fd-3b12-b73b-71ec-8f012191161f at foobar.org>,
> Nick Hilliard <nick at foobar.org> wrote:
>
>> RPKI adoption is now taking off in a big way - see AT&T's recent
>> announcement and NTT's plans.  Commoditisation of RPKI support for IXP
>> route servers will be available within weeks.
>
> The AT&T announcement was indeed heartening.
>
> Can you see if you can drag a few IXP people into this conversation (please)?

Nick is part of "IXP people" afaik for a long time. I am too, although i'm 
more into the "IXP security people" set nowadays :-)

In general, i think IXP people will do everything they can to minimize 
hijacker's goals, especially if they receive a complaint from customer X 
saying customer Z is hijacking a prefix and they are announcing it to 
customer X (and possibly other customers).

That's where RPKI and route servers get into the picture -- if hijacked 
prefix announcements were not made directly, RPKI on route servers might 
stop those announcements, and even if RPKI is not applied on route 
servers, they could hold the proof that an hijack was made.

But the main point here about 2019-03 is that RPKI on route servers, or 
even recording all announcements through route servers will not happen 
overnight, and it will not solve hijacks made through direct peerings 
where the receiving end is not discarding the "bad prefix" through RPKI.

Again, there are tools with enough maturity than can be used to protect 
each and every of the 60000+ ASNs from hijacks, but the "issue" between 
the chair and a keyboard makes something in the line of 2019-03 still 
needed.

> If they all say that this proposal is pointless, and that the problem will
> be essentially solved in time for Vappu, then it probably would then be
> a reasonable choice to set this on the back burner, just for a bit, to see
> how things really shake out.
>
> I think we all understand that just because RPKI support may be available,
> that doesn't mean that anybody who hasn't already done so is actually going
> to deploy it.  So it would be Good to hear what the actual plans are.

Essentially agreeing with Ronald, i think anyone could also argue that 
people without the ability to use RPKI shouldn't be playing the BGP game, 
but i certainly prefer to think that intentional and persistens hijackers 
shouldn't be allowed (by the community) to keep playing the BGP game. :-)

Best Regards,
Carlos

> Regards,
> rfg
>

Previous message (by thread): [anti-abuse-wg] 2019-03 and over-reach
Next message (by thread): [anti-abuse-wg] 2019-03 and over-reach

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ anti-abuse-wg Archives ]