nanog mailing list archives
Re: Why not to use RPKI (Was Re: Argus: a hijacking alarm system)
From: Yang Xiang <xiangy08 () csnet1 cs tsinghua edu cn>
Date: Fri, 20 Jan 2012 20:38:55 +0800
RPKI is great. But, firstly, ROA doesn't cover all the prefixes now, we need an alternative service to alert hijackings. secondly, ROA can only secure the 'Origin AS' of a prefix, while Argus can discover potential hijackings caused by anomalous AS path. After ROA and BGPsec deployed in the entire Internet (or, in all of your network), Argus will stop the service :) 2012/1/20 Arturo Servin <aservin () lacnic net>
You could use RPKI and origin validation as well. We have an application that does that. http://www.labs.lacnic.net/rpkitools/looking_glass/ For example you can periodically check if your prefix is valid: http://www.labs.lacnic.net/rpkitools/looking_glass/rest/valid/cidr/200.7.84.0/23/ If it were invalid for a possible hijack it would look like: http://www.labs.lacnic.net/rpkitools/looking_glass/rest/invalid/cidr/200.31.18.0/24/ Or you can just query for any state: http://www.labs.lacnic.net/rpkitools/looking_glass/rest/all/cidr/200.31.12.0/22/ Regards, as
-- _________________________________________ Yang Xiang. Ph.D candidate. Tsinghua University Argus: argus.csnet1.cs.tsinghua.edu.cn
Current thread:
- Argus: a hijacking alarm system Yang Xiang (Jan 20)
- Re: Argus: a hijacking alarm system Jeroen Massar (Jan 20)
- Re: Argus: a hijacking alarm system Yang Xiang (Jan 20)
- Re: Argus: a hijacking alarm system Suresh Ramasubramanian (Jan 20)
- Re: Argus: a hijacking alarm system Yang Xiang (Jan 20)
- Re: Argus: a hijacking alarm system Jeroen Massar (Jan 20)
- Re: Argus: a hijacking alarm system Yang Xiang (Jan 20)
- Re: Argus: a hijacking alarm system Yang Xiang (Jan 20)
- Re: Argus: a hijacking alarm system Jeroen Massar (Jan 20)
- Re: Why not to use RPKI (Was Re: Argus: a hijacking alarm system) Yang Xiang (Jan 20)
- Re: Why not to use RPKI (Was Re: Argus: a hijacking alarm system) Arturo Servin (Jan 20)
- Re: Why not to use RPKI (Was Re: Argus: a hijacking alarm system) Yang Xiang (Jan 20)
- Re: Why not to use RPKI (Was Re: Argus: a hijacking alarm system) Danny McPherson (Jan 20)
- Re: Why not to use RPKI (Was Re: Argus: a hijacking alarm system) Christopher Morrow (Jan 22)
- Re: Why not to use RPKI (Was Re: Argus: a hijacking alarm system) Yang Xiang (Jan 23)
- Re: Why not to use RPKI (Was Re: Argus: a hijacking alarm system) Christopher Morrow (Jan 23)
- Re: Why not to use RPKI (Was Re: Argus: a hijacking alarm system) Yang Xiang (Jan 23)
- Re: Why not to use RPKI (Was Re: Argus: a hijacking alarm system) John Kemp (Jan 23)
- Re: Why not to use RPKI (Was Re: Argus: a hijacking alarm system) Yang Xiang (Jan 23)