[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
BGP in the Washngton Post
- Subject: BGP in the Washngton Post
- From: randy at psg.com (Randy Bush)
- Date: Tue, 02 Jun 2015 21:51:46 -0700
- In-reply-to: <[email protected]>
- References: <CAP-guGXCgO2mLXHHLC5kD60-vpALPUT7=oBdUkkg2Vp3iouGhQ@mail.gmail.com> <[email protected]> <[email protected]>
> Yes, RPKI protects from fat fingered people, but NOT protects from
> people doing hijacks knowingly.
the rpki protects from fat fingers as well as the telephone white pages
protects from wrong number dialing. it doesn't.
for the 312th time (i had to make this clear once again from the floor
of nanog this week), ...
The RPKI is an X.509 based hierarchy [rfc 6481] which is congruent
with the internet IP address allocation administration, the IANA,
RIRS, ISPs, ... It is just a database, but is the substrate on
which the next two mechanisms are based. It is currently deployed
in all five administrative regions.
RPKI-based Origin Validation [RFC 6811] uses some of the RPKI data
to allow a router to verify that the autonomous system originating
an IP address prefix is in fact authorized to do so. This is not
crypto checked so can be violated. But it should prevent the vast
majority of accidental 'hijackings' on the internet today, e.g. the
famous Pakistani accidental announcement of YouTube's address space.
RPKI-based origin validation is in shipping code from AlcaLu, Cisco,
Juniper, and possibly others.
RPKI-based Path Validation, a future technology still being designed
[draft-ietf-sidr-bgpsec-overview-06.txt], uses the full crypto
information of the RPKI to make up for the embarrassing mistake
that, like much of the internet BGP was designed with no thought to
securing the BGP protocol itself from being gamed/violated. It
allows a receiver of a BGP announcement to cryptographically
validate that the autonomous systems through which the announcement
passed were indeed those which the sender/forwarder at each hop
intended.
randy