[148684] in North American Network Operators' Group
Re: Why not to use RPKI (Was Re: Argus: a hijacking alarm system)
daemon@ATHENA.MIT.EDU (Arturo Servin)
Fri Jan 20 07:46:52 2012
From: Arturo Servin <aservin@lacnic.net>
In-Reply-To: <CA+rW-LCMo3j8u_xWeHBtvam+FJQYuk2WXA9Zj5t2xaP3zFzN-A@mail.gmail.com>
Date: Fri, 20 Jan 2012 10:45:31 -0200
To: Yang Xiang <xiangy08@csnet1.cs.tsinghua.edu.cn>
X-LACNIC.uy-MailScanner-From: aservin@lacnic.net
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 20 Jan 2012, at 10:38, Yang Xiang wrote:
> RPKI is great.
>=20
> But, firstly, ROA doesn't cover all the prefixes now,
> we need an alternative service to alert hijackings.
Or to sign your prefixes.
>=20
> secondly, ROA can only secure the 'Origin AS' of a prefix,
That's true.
> while Argus can discover potential hijackings caused by anomalous AS =
path.
Can you explain how?
>=20
> After ROA and BGPsec deployed in the entire Internet (or, in all of =
your network),
> Argus will stop the service :)
I was just suggesting to add a more deterministic way to =
detecting hijacks.
=09
Regards,
as
>=20
> 2012/1/20 Arturo Servin <aservin@lacnic.net>
>=20
> You could use RPKI and origin validation as well.
>=20
> We have an application that does that.
>=20
> http://www.labs.lacnic.net/rpkitools/looking_glass/
>=20
> For example you can periodically check if your prefix is valid:
>=20
> =
http://www.labs.lacnic.net/rpkitools/looking_glass/rest/valid/cidr/200.7.8=
4.0/23/
>=20
> If it were invalid for a possible hijack it would look like:
>=20
> =
http://www.labs.lacnic.net/rpkitools/looking_glass/rest/invalid/cidr/200.3=
1.18.0/24/
>=20
> Or you can just query for any state:
>=20
> =
http://www.labs.lacnic.net/rpkitools/looking_glass/rest/all/cidr/200.31.12=
.0/22/
>=20
>=20
>=20
> Regards,
> as
>=20
>=20
>=20
>=20
>=20
> --=20
> _________________________________________
> Yang Xiang. Ph.D candidate. Tsinghua University
> Argus: argus.csnet1.cs.tsinghua.edu.cn
>=20
