This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[routing-wg] looking for online RPKI dashboard / looking glass?
- Previous message (by thread): [routing-wg] looking for online RPKI dashboard / looking glass?
- Next message (by thread): [routing-wg] looking for online RPKI dashboard / looking glass?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Job Snijders
job at ntt.net
Wed May 2 21:27:09 CEST 2018
On Wed, May 02, 2018 at 09:18:50PM +0200, Matthias Waehlisch wrote:
> > > *scratch head*
> >
> > If your DDoS mitigator depends on BGP hijacking to deliver their
> > scrubbing services to you ... indeed you'll have challenges. I have
> > no good answer, this is an architectural flaw where one has to make
> > a trade-off between wanting to protect against hijacks and having
> > the ability to insert more-specifics for legitimate purposes.
>
> RPKI origin validation does not protect against path manipulation.
>
> Even if you announcing the /24, someone else could hijack with a faked
> origin A. It just gets more difficult because there are competing
> announcements.
For path validation there are other tricks! It is a bit of a poor man's
solution, but so much better than nothing. It only protects a subset of
all ASNs, but combined with RPKI Origin Validation this would be
extremely effective.
https://www.nanog.org/sites/default/files/Snijders_Everyday_Practical_Bgp.pdf
https://www.youtube.com/watch?v=CSLpWBrHy10
Kind regards,
Job
- Previous message (by thread): [routing-wg] looking for online RPKI dashboard / looking glass?
- Next message (by thread): [routing-wg] looking for online RPKI dashboard / looking glass?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]