[148683] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: Why not to use RPKI (Was Re: Argus: a hijacking alarm system)

daemon@ATHENA.MIT.EDU (Yang Xiang)
Fri Jan 20 07:40:59 2012

In-Reply-To: <01DD4FF2-3DA9-4225-AD62-5629DEF541C2@lacnic.net>
From: Yang Xiang <xiangy08@csnet1.cs.tsinghua.edu.cn>
Date: Fri, 20 Jan 2012 20:38:55 +0800
To: Arturo Servin <aservin@lacnic.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org

RPKI is great.

But, firstly, ROA doesn't cover all the prefixes now,
we need an alternative service to alert hijackings.

secondly, ROA can only secure the 'Origin AS' of a prefix,
while Argus can discover potential hijackings caused by anomalous AS path.

After ROA and BGPsec deployed in the entire Internet (or, in all of your
network),
Argus will stop the service :)

2012/1/20 Arturo Servin <aservin@lacnic.net>

>
>        You could use RPKI and origin validation as well.
>
>        We have an application that does that.
>
>        http://www.labs.lacnic.net/rpkitools/looking_glass/
>
>        For example you can periodically check if your prefix is valid:
>
>
> http://www.labs.lacnic.net/rpkitools/looking_glass/rest/valid/cidr/200.7.84.0/23/
>
>        If it were invalid for a possible hijack it would look like:
>
>
> http://www.labs.lacnic.net/rpkitools/looking_glass/rest/invalid/cidr/200.31.18.0/24/
>
>        Or you can just query for any state:
>
>
> http://www.labs.lacnic.net/rpkitools/looking_glass/rest/all/cidr/200.31.12.0/22/
>
>
>
> Regards,
> as
>
>
>


-- 
_________________________________________
Yang Xiang. Ph.D candidate. Tsinghua University
Argus: argus.csnet1.cs.tsinghua.edu.cn
home help back first fref pref prev next nref lref last post