2012/1/20 Arturo Servin <aser...@lacnic.net> > > On 20 Jan 2012, at 10:38, Yang Xiang wrote: > > > RPKI is great. > > > > But, firstly, ROA doesn't cover all the prefixes now, > > we need an alternative service to alert hijackings. > > Or to sign your prefixes. >
Sign prefixes is the best way. Before sign all prefixes, it is better if we have a detection service. > > > > > secondly, ROA can only secure the 'Origin AS' of a prefix, > > That's true. > > > while Argus can discover potential hijackings caused by anomalous AS > path. > > Can you explain how? > Only a imprecisely detection. Section III.C in our paper http://argus.csnet1.cs.tsinghua.edu.cn/static/Argus.FIST11.pdf A brief explanation is: If an anomalous AS path hijacked a prefix, I can get replies in normal route-server, and can not get reply in abnormal route-servers. Here we only consider hijackings that black-hole the prefix. If a hijacking doesn't black-hole the prefix (i.e., redirect, interception, ...), is hard to detect :( I think network operators are only careless, but not trust-less, so black-hole hijacking is the majority case. > > > > > After ROA and BGPsec deployed in the entire Internet (or, in all of your > network), > > Argus will stop the service :) > > I was just suggesting to add a more deterministic way to detecting > hijacks. > Sorry for my poor English :( What I want to say is, RPKI is really good, Argus is just an alternative, before we can protect ourself using signatures, honestly :-) Best regards! > > > Regards, > as > > > > > > -- > > _________________________________________ > > Yang Xiang. Ph.D candidate. Tsinghua University > > Argus: argus.csnet1.cs.tsinghua.edu.cn > > > > -- _________________________________________ Yang Xiang. Ph.D candidate. Tsinghua University Argus: argus.csnet1.cs.tsinghua.edu.cn
