[routing-wg] Path validation with RPKI

Dear routing-wg'ers,

A few weeks ago there was a significant route leak through Safe Host and China Telecom. This keeps happening. I think we can stop these route leaks with a relatively modest change to RPKI: by combining the ASes the origin trusts and the ASes the operator of an RPKI relying party server trusts, we have a list of all the ASes that may legitimately appear in the AS path as seen from this particular vantage point.

I believe deployment will be relatively easy, as it works for the two ASes at both ends even if ASes in the middle don't participate.

So this means a change to the ROA format, a change to the RPKI-router protocol, and of course changes to the software involved. I'm interested to hear what everyone thinks of this, and especially what the developers of implementations think.

Here is the draft with the protocol modifications:

https://datatracker.ietf.org/doc/draft-van-beijnum-sidrops-pathrpki/ <https://datatracker.ietf.org/doc/draft-van-beijnum-sidrops-pathrpki/>

There is path filter example code in the appendix to show that this part is easy.  :-)

In case you want to try this out but don't want to compile it yourself, (mostly) the same code is also running here:

http://bgpexpert.com/pathrpki/ <http://bgpexpert.com/pathrpki/>

And if you need more background:

http://www.muada.com/2019/06-13-lets-fix-those-bgp-route-leaks.html <http://www.muada.com/2019/06-13-lets-fix-those-bgp-route-leaks.html>

Note that this is significantly different from the AS-Cones proposal. AS-Cones is a way for transit ASes to filter their peers (and maybe their customers). RPKI path validation is everyone filtering all prefixes they see, regardless of whether these prefixes come in through peering or transit. However, there is no reason the two can't be deployed side by side.

Iljitsch
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/routing-wg/attachments/20190620/33569f18/attachment.html>