[routing-wg] looking for online RPKI dashboard / looking glass?
Job Snijders job at ntt.net
Wed May 2 21:27:09 CEST 2018
On Wed, May 02, 2018 at 09:18:50PM +0200, Matthias Waehlisch wrote: > > > *scratch head* > > > > If your DDoS mitigator depends on BGP hijacking to deliver their > > scrubbing services to you ... indeed you'll have challenges. I have > > no good answer, this is an architectural flaw where one has to make > > a trade-off between wanting to protect against hijacks and having > > the ability to insert more-specifics for legitimate purposes. > > RPKI origin validation does not protect against path manipulation. > > Even if you announcing the /24, someone else could hijack with a faked > origin A. It just gets more difficult because there are competing > announcements. For path validation there are other tricks! It is a bit of a poor man's solution, but so much better than nothing. It only protects a subset of all ASNs, but combined with RPKI Origin Validation this would be extremely effective. https://www.nanog.org/sites/default/files/Snijders_Everyday_Practical_Bgp.pdf https://www.youtube.com/watch?v=CSLpWBrHy10 Kind regards, Job