Fierce Telecom: DoD, DoJ press FCC for industry-wide BGP security standard
Way overdue! In the last 4 weeks, I’ve had at least 20 diff conversations with FSI Network operators re: BGP hijacking, how to detect and in the future, mitigate with higher levels of success. Come on BGP RPKI/ROA adaption. I found the easiest way is via ISP pressure to implement dropping invalid routes.
Way overdue! In the last 4 weeks, I've had at least 20 diff
conversations with FSI Network operators re: BGP hijacking, how to
detect and in the future, mitigate with higher levels of success. Come
on BGP RPKI/ROA adaption. I found the easiest way is via ISP pressure
to implement dropping invalid routes.
to remind, ROV is a safety mechanism, not a security mechanism. it is
proving, as intended, to mitigate mistakes. which is very cool. but it
does not mitigate attacks of any sophistication.
Does another barrier to entry make sense? This makes it even more difficult still for new companies to start.
Do we trust the FCC to come up with an industry wide fool proof (whatever that means) security standard? This is the same government that can’t stop fake phone calls.
Does another barrier to entry make sense?
ROV's ROA creation is a barrier to entry in north america, as discussed
in another thread or see
there are other cultures where isp operational security is taken more
seriously than power and money.
Do we trust the FCC to come up with an industry wide fool proof
(whatever that means) security standard?
note that the DHS funded the development of both dns and routing
security technology. otoh, as other cultures, clue is not evenly
the first step is said to be admitting one has a problem.
ROA isn’t mandatory. If it was, it would be a better comparison. Still, showing that low adoption rate shows the industry’s interest in it.
I think we all see the problem, but is there a viable solution? Is the problem big enough to warrant the transition?
I’d agreed in principle with the statement that "ROA creation is a barrier to entry in north america” –
as ARIN both started later with its RPKI service development and in some places has taken different
approaches due to liability concerns in the highly litigious US environment in which we operate.
Noting such, it is also worth pointing out that in the three years since publication of the You/Wishnick
(UPenn) report, ARIN has made several significant changes in order to make our RPKI services more
usable both by those issuing ROAs as well as relying parties (e.g., integrating the RPKI service into
ARIN Online, adding support for hybrid ROA distribution model, allowing parties that wish to redistribute
ARIN RPKI repository to do so under agreement, allowing RPKI validator packages to distribute ARIN’s
TAL and use simple click acceptance of the RPA, and most recently issuing an update to the ARIN
RSA/LRSA which strikes much of the language in section 7 that gave pause to some organizations
during their legal review. These changes occurred after discussions & feedback from this community,
including in 2019 inviting Professor Yoo present his findings during the ARIN 43 meeting –
ARIN still has quite a bit to go with RPKI: we’ve only recently been doing focused training on RPKI
deployment; our RPKI user interface has colorful artifacts due to the requirement that organizations
externally digitally sign their ROA requests, and we lack any interface support for cross RPKI, IRR
& routing state reconciliation. Addressing these items is now underway and should help growth of
RPKI in the region, but I note that it is not holding back some organizations – ARIN has already seen
significant RPKI growth in 2021 and 2022. Just this year (January through the end of August) we have
gone from 2,334 to 2,931 orgs deploying RPKI and published ROAs going from 41,648 to 55,418.
We have substantial IPv4 address space in the ARIN region and therefore quite a long way to go
before our ROA coverage as a percentage is comparable to other regions, but the surge in RPKI
deployment over the last two years already has the total of ARIN IPv4 space covered by ROAs
comparable to that of the RIPE region in absolute terms; see  below. I don’t dispute that “ROA
creation is a barrier to entry in north america” (and remains so until ARIN addresses some of the
remaining issues) but also believe that the characterization in the three year old report is not as
timely / valid as when first issued, as since that time there has been a noticeable surge in RPKI
deployment in the region.
President and CEO
American Registry for Internet Numbers
Mitigating against mistakes has value, and in some cases
so does being able to strongly suggest that there was a
more sophisticated approach taken.