[148687] in North American Network Operators' Group
Re: Why not to use RPKI (Was Re: Argus: a hijacking alarm system)
daemon@ATHENA.MIT.EDU (Yang Xiang)
Fri Jan 20 08:10:21 2012
In-Reply-To: <7C38D0B5-EE31-4237-9EB9-31F9279F70F1@lacnic.net>
From: Yang Xiang <xiangy08@csnet1.cs.tsinghua.edu.cn>
Date: Fri, 20 Jan 2012 21:08:22 +0800
To: Arturo Servin <aservin@lacnic.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
2012/1/20 Arturo Servin <aservin@lacnic.net>
>
> On 20 Jan 2012, at 10:38, Yang Xiang wrote:
>
> > RPKI is great.
> >
> > But, firstly, ROA doesn't cover all the prefixes now,
> > we need an alternative service to alert hijackings.
>
> Or to sign your prefixes.
>
Sign prefixes is the best way.
Before sign all prefixes, it is better if we have a detection service.
>
> >
> > secondly, ROA can only secure the 'Origin AS' of a prefix,
>
> That's true.
>
> > while Argus can discover potential hijackings caused by anomalous AS
> path.
>
> Can you explain how?
>
Only a imprecisely detection.
Section III.C in our paper
http://argus.csnet1.cs.tsinghua.edu.cn/static/Argus.FIST11.pdf
A brief explanation is:
If an anomalous AS path hijacked a prefix,
I can get replies in normal route-server, and can not get reply in abnormal
route-servers.
Here we only consider hijackings that black-hole the prefix.
If a hijacking doesn't black-hole the prefix (i.e., redirect, interception,
...), is hard to detect :(
I think network operators are only careless, but not trust-less,
so black-hole hijacking is the majority case.
>
> >
> > After ROA and BGPsec deployed in the entire Internet (or, in all of your
> network),
> > Argus will stop the service :)
>
> I was just suggesting to add a more deterministic way to detecting
> hijacks.
>
Sorry for my poor English :(
What I want to say is, RPKI is really good,
Argus is just an alternative,
before we can protect ourself using signatures,
honestly :-)
Best regards!
>
>
> Regards,
> as
>
>
> >
> > --
> > _________________________________________
> > Yang Xiang. Ph.D candidate. Tsinghua University
> > Argus: argus.csnet1.cs.tsinghua.edu.cn
> >
>
>
--
_________________________________________
Yang Xiang. Ph.D candidate. Tsinghua University
Argus: argus.csnet1.cs.tsinghua.edu.cn
