On Sun, Oct 22, 2023 at 10:06 AM Tom Beecher <beecher@beecher.cc> wrote:
And is it your belief that this addresses the described attack vector? AFAICT, it does not.
In the mixed RPKI / non-RPKI environment of today's internet, no it doesn't.
I don't see a path to an Internet where a serious network operator can broadly discard routes for which there is no RPKI information. Especially given that many legacy folks are barred by the registry from participating in RPKI. Do you see a path? Then we have to treat this as a case where RPKI is non-performant and operate with the understanding that an AS0 ROA will not, as a practical matter, accomplish the thing it was designed to do. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/