for the 312th time. origin validation was never designed to stop
attacks. it was designed to ameliorate mistakes.
if you want to use the rpki to reduce attacks, use bgpsec.
randy
There are a lot of ROAs out there that make it EASIER to hijack
a route rather than harder.
If you register an ROA for a route and also advertise that route
in BGP, then an attacker who prepends your ASN has to at least
compete with your route with an AS_PATH length and will lose
in most of the In
I dont think ive every agreed with Owen this much, maybe this is the first
sign the wording is ending further proving his statement :)
On Wed, Nov 2, 2022 at 10:30 PM Owen DeLong via NANOG
wrote:
> Oh, I’m not ignoring it, I’m just rather underwhelmed by it and given how
> long it took SIDRWG to
Oh, I’m not ignoring it, I’m just rather underwhelmed by it and given how long
it took SIDRWG to get RPKI this far,
not optimistic about any of the rest of the system getting deployed prior to
IPv6 ubiquity or the end of my time on
this planet, or even before we manage to destroy the planet, whic
Tue, Nov 01, 2022 at 06:24:50PM -0700, Owen DeLong via NANOG:
> RPKI/ROA is a way to cryptographically prove what someone needs to prepend if
> they want to hijack your addresses.
Operators should not be deterred by that comment. Owen seems to be ignoring
what it does achieve and that this is pa
It's very important to specify the /24 inside the /23 for example so as you
said "for all our subnets being advertised".
On Tue, Nov 1, 2022 at 5:01 PM Randy Bush wrote:
> > Thanks everyone for your inputs. So bottomline setup RPKI and setup ROA's
> > for all our subnets being advertised.
>
> if
RPKI/ROA is a way to cryptographically prove what someone needs to prepend if
they want to hijack your addresses.
Owen
> On Oct 28, 2022, at 08:00, Samuel Jackson wrote:
>
> Hello,
> I am new to RPKI/ROA and still learning about RPKI. From all my reading on
> ARIN's documents I am not able t
> Thanks everyone for your inputs. So bottomline setup RPKI and setup ROA's
> for all our subnets being advertised.
if the BGP advertisements are correct, then mirror them in ROAs. most,
if not all, CA UIs make that easy.
randy
Thanks everyone for your inputs. So bottomline setup RPKI and setup ROA's
for all our subnets being advertised.
Much of this is legacy and has too many unknowns, being handed down
networks without documentation also does not help.
Thanks,
Sam
On Tue, Nov 1, 2022 at 9:07 AM heasley wrote:
> Tue
Tue, Nov 01, 2022 at 12:01:46PM -0400, Jon Lewis:
> One danger with RPKI, is shooting yourself (or customers) in the foot by
> creating too general a ROA. i.e. Suppose you have an ARIN /20. You have
> a multihomed customer to whom you've assigned a /24 from your /20. You
> create a ROA for th
In general, you want to create suitable ROAs for the most specific routes
that will be advertised first.
Suppose you have a /20 from ARIN. You plan to take a /24 from that /20 to
AWS. From what you've said, all you need is a ROA for the /24 you're
taking to AWS, saying it can be originated b
If the route can exist on a FIB, can exist a ROA to that.
So, there is no reason to no create the ROAs.
Em ter., 1 de nov. de 2022 às 11:12, Samuel Jackson
escreveu:
> Hello,
> I am new to RPKI/ROA and still learning about RPKI. From all my reading on
> ARIN's documents I am not able to answer
Creating ROAs for *all* the announcements that are done with your prefixes,
both on your own AS and the ones announced by AWS, is probably the best way
forward from both a routing security and ease-of-management perspective.
-Alex
> On 28 Oct 2022, at 17:00, Samuel Jackson wrote:
>
> Hello,
>
Church St, Burlington, VT
From: NANOG On Behalf Of
Samuel Jackson
Sent: Friday, October 28, 2022 11:00 AM
To: nanog@nanog.org
Subject: Understanding impact of RPKI and ROA on existing advertisements
WARNING!! This message originated from an External Source. Please use proper
judgment and
Hello,
I am new to RPKI/ROA and still learning about RPKI. From all my reading on
ARIN's documents I am not able to answer some of my questions.
We have a public ARIN block and advertise smaller subnets from that to our
ISP's. We do not have any RPKI configs.
We need to setup ROA's to take another
15 matches
Mail list logo
