On 8/28/14, 11:28 PM, "Mark Andrews" <ma...@isc.org> wrote:

>       The long term solution is to deploy RPKI and only use
>       transits which use RPKI. No RPKI support => no business.
>       Additionally make RPKI a peering requirement.

WG] So should we ask for that before, or after we get everyone to roll out
IPv6 everywhere by voting with our wallets?

*ducks*

On 8/28/14, 11:24 PM, "Fred Baker (fred)" <f...@cisco.com> wrote:

>Are providers that neighbor with them implementing RPKI?
>If not, complain to the folks not indicating RPKI and therefore accepting
>a hijacked prefix.

WG]

%s/RPKI/inbound route filtering on downstream customers/g

There, FTFY

Tarun, other than directly contacting the originator, I recommend that you
complain to their upstream provider(s) (the neighboring ASN(s) in the
AS-Path) that they are accepting routes from their customer that they
shouldn't be, include proof that you own the block they are announcing,
and ask them to apply a prefix filter. Yes, this presupposes that you can
find valid contact info in whois or peeringdb, but it's the best we've got
right now.

RPKI isn't likely to fix this anytime soon, because it's mostly not
deployed where it needs to be to affect this problem. And just like
inbound route filtering and lots of other protective security measures,
[1, 2] and eating your vegetables, and getting more exercise, most folks
agree that it would help, but it's only useful with wide deployment, which
mostly needs to happen on "everyone else's network", and those things all
have an additional cost (time, money, or both) to deploy and maintain. The
unfortunate thing is that RPKI arguably takes more work than the others,
with a much longer time-horizon to see benefit during the incremental
deployment period.

Wes George

[1] https://www.routingmanifesto.org/manifesto/
[2] http://tools.ietf.org/html/draft-ietf-opsec-bgp-security

Anything below this line has been added by my company’s mail server, I
have no control over it.
-----------


This E-mail and any of its attachments may contain Time Warner Cable 
proprietary information, which is privileged, confidential, or subject to 
copyright belonging to Time Warner Cable. This E-mail is intended solely for 
the use of the individual or entity to which it is addressed. If you are not 
the intended recipient of this E-mail, you are hereby notified that any 
dissemination, distribution, copying, or action taken in relation to the 
contents of and attachments to this E-mail is strictly prohibited and may be 
unlawful. If you have received this E-mail in error, please notify the sender 
immediately and permanently delete the original and any copy of this E-mail and 
any printout.

Reply via email to