[175834] in North American Network Operators' Group
Re: BGP Security Research Question
daemon@ATHENA.MIT.EDU (sthaug@nethelp.no)
Tue Nov 4 09:03:09 2014
X-Original-To: nanog@nanog.org
Date: Tue, 04 Nov 2014 15:03:00 +0100 (CET)
To: yuri@yurisk.info
From: sthaug@nethelp.no
In-Reply-To: <CAJ8Xm184hP4dcpiy7syP-p_cBaO=mZaV2LQmqnGPyhdZwMNfMg@mail.gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
> Let me disagree - Pakistan Youtube was possible only because their uplink
> provider did NOT implement inbound route filters . As always the weakest
> link is human factor - and no super-duper newest technology is ever to help
> here .
Agreed, the uplink absolutely should have implemented prefix filtering.
However, if the Youtube prefixes had been protected with RPKI, ISPs far
away could have verified the announcements themselves - and would have
found that the Pakistan Telecom originated prefixes were invalid (and
would presumably have found the original Youtube prefixes to be valid).
As least that's how I understand RPKI.
I want *both* prefix filtering and a system like RPKI.
Steinar Haug, Nethelp consulting, sthaug@nethelp.no
