[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Why not to use RPKI (Was Re: Argus: a hijacking alarm system)
On 20 Jan 2012, at 10:38, Yang Xiang wrote:
> RPKI is great.
>
> But, firstly, ROA doesn't cover all the prefixes now,
> we need an alternative service to alert hijackings.
Or to sign your prefixes.
>
> secondly, ROA can only secure the 'Origin AS' of a prefix,
That's true.
> while Argus can discover potential hijackings caused by anomalous AS path.
Can you explain how?
>
> After ROA and BGPsec deployed in the entire Internet (or, in all of your network),
> Argus will stop the service :)
I was just suggesting to add a more deterministic way to detecting hijacks.
Regards,
as
>
> 2012/1/20 Arturo Servin <aservin at lacnic.net>
>
> You could use RPKI and origin validation as well.
>
> We have an application that does that.
>
> http://www.labs.lacnic.net/rpkitools/looking_glass/
>
> For example you can periodically check if your prefix is valid:
>
> http://www.labs.lacnic.net/rpkitools/looking_glass/rest/valid/cidr/200.7.84.0/23/
>
> If it were invalid for a possible hijack it would look like:
>
> http://www.labs.lacnic.net/rpkitools/looking_glass/rest/invalid/cidr/200.31.18.0/24/
>
> Or you can just query for any state:
>
> http://www.labs.lacnic.net/rpkitools/looking_glass/rest/all/cidr/200.31.12.0/22/
>
>
>
> Regards,
> as
>
>
>
>
>
> --
> _________________________________________
> Yang Xiang. Ph.D candidate. Tsinghua University
> Argus: argus.csnet1.cs.tsinghua.edu.cn
>