[routing-wg] looking for online RPKI dashboard / looking glass?

On Wed, 2 May 2018, Job Snijders wrote:

> > How would you recommend handling the case
> > 
> >  "normally I only announce a /16, but in case one of our customers i
> >   DDoSed, I want to announce the affected IP address as part of their
> >   /24 out of upstream-that-does-regional-blackholing"?
> > 
> > If I create the /24 ROAs up front, I'm back in square one ("while I 
> > am not announcing the /24, someone else could hijack with a faked 
> > origin AS").
> > 
> > If I do not create the /24 ROAs up front, I have propagation delays 
> > (and might not be able to reach the RIPE RPKI tool at all while the 
> > DDoS goes on).
> > 
> > *scratch head*
> 
> If your DDoS mitigator depends on BGP hijacking to deliver their
> scrubbing services to you ... indeed you'll have challenges. I have no
> good answer, this is an architectural flaw where one has to make a
> trade-off between wanting to protect against hijacks and having the
> ability to insert more-specifics for legitimate purposes.
> 
  RPKI origin validation does not protect against path manipulation.

  Even if you announcing the /24, someone else could hijack with a faked 
origin A. It just gets more difficult because there are competing 
announcements.

  


Cheers
  matthias

-- 
Matthias Waehlisch
.  Freie Universitaet Berlin, Computer Science
.. http://www.cs.fu-berlin.de/~waehl