[routing-wg] looking for online RPKI dashboard / looking glass?
Matthias Waehlisch m.waehlisch at fu-berlin.de
Wed May 2 21:18:50 CEST 2018
On Wed, 2 May 2018, Job Snijders wrote: > > How would you recommend handling the case > > > > "normally I only announce a /16, but in case one of our customers i > > DDoSed, I want to announce the affected IP address as part of their > > /24 out of upstream-that-does-regional-blackholing"? > > > > If I create the /24 ROAs up front, I'm back in square one ("while I > > am not announcing the /24, someone else could hijack with a faked > > origin AS"). > > > > If I do not create the /24 ROAs up front, I have propagation delays > > (and might not be able to reach the RIPE RPKI tool at all while the > > DDoS goes on). > > > > *scratch head* > > If your DDoS mitigator depends on BGP hijacking to deliver their > scrubbing services to you ... indeed you'll have challenges. I have no > good answer, this is an architectural flaw where one has to make a > trade-off between wanting to protect against hijacks and having the > ability to insert more-specifics for legitimate purposes. > RPKI origin validation does not protect against path manipulation. Even if you announcing the /24, someone else could hijack with a faked origin A. It just gets more difficult because there are competing announcements. Cheers matthias -- Matthias Waehlisch . Freie Universitaet Berlin, Computer Science .. http://www.cs.fu-berlin.de/~waehl