[arin-discuss] on the need for secure BGP routing and ARIN RPKI
Christopher Morrow
morrowc.lists at gmail.com
Wed Nov 20 13:52:39 EST 2013
I don't want to deflate the 'do the rpkis!' balloon, but....
On Tue, Nov 19, 2013 at 6:04 PM, Paul Vixie <paul at redbarn.org> wrote:
> greetings, arin members. as i count down my last months as an arin trustee,
> i look to the future of our industry. the RIR system (ARIN and its sisters
> in other regions) has confronted many challenges during my nine years on the
> ARIN board, including for example the seemingly (yet, not!) intractable
> problem of how to motivate wide spread IPv6 deployment before "final IPv4
> runout" forces everyone to make hard choices or to live in triple-NAT
> ghettos.
>
> yet, one of our most ambitious and worthwhile challenges receives very
> little discussion. that is: secure BGP routing, for which the RIR system has
> been working for almost a decade on the enabling technology -- RPKI --
> Routing Public Key Infrastructure. briefly, this is a way to bind a
> crypto-authentic key to blocks of address space, which will ultimately make
> it possible for network operators to sign their routing announcements and
> verify the announcements you receive.
>
> today our colleagues at renesys published a report on "man in the middle
> internet hijacking":
>
> http://www.renesys.com/2013/11/mitm-internet-hijacking/
>
> the key message of this article is this excerpt:
>
> ... In practical terms, this means that Man-In-the-Middle BGP route
> hijacking has now moved from a theoretical concern to something that happens
> fairly regularly, and the potential for traffic interception is very real.
> ...
>
it's not clear at all that this was MITM intentionally.
In fact it sort of looks like (more) operational mistakitude ;( AND
providers NOT route-flitering customers.
A good drum to beat for all customers of ISPs is, I think: "Hey, do
you prefix filter every single downstream customer? If not, why not?"
>
> i hope i can persuade all of you to read the renesys article cited above,
> and to investigate ARIN's RPKI project, in which the ARIN Board of Trustees
> has repeatedly voted to invest the company's technology resources:
>
> https://www.arin.net/resources/rpki/index.html
>
Ideally this helps, once more adoption happens, ISPs to check content
of their favorite IRR and construct better route filters for their
customer bgp sessions. (minus, of course the 'have to click through
webpages to accept the TAL cert... grumble, dead horse beatings,
grumble)
thnx paul!
-chris
More information about the ARIN-discuss
mailing list