I remember having this discussion more than 20yrs ago, minus the ARIN bit, couldn't get every to agree to it it then either :(. We don't need more rules, we just need to start with basic hygiene. Was a novel idea :) On Mon., Apr. 20, 2020, 2:41 p.m. Christopher Morrow, < morrowc.lists@gmail.com> wrote:
On Mon, Apr 20, 2020 at 12:25 PM Tom Beecher <beecher@beecher.cc> wrote:
Technical people need to make the business case to management for RKPI
by laying out what it would cost to implement (equipment, resources, ongoing opex), and what the savings are to the company from protecting themselves against hijacks. By taking this step, I believe RPKI will become viewed by non-technical decision makers as a 'Cloudflare initiative' instead of a 'good of the internet' initiative, especially by some companies who compete with Cloudflare in the CDN space.
you say here: "RPKI" but the cloudflare thing is a little bit more nuanced than that, right? 'RPKI" is really: "Did you sign ROA for your IP Number Resources?" what you do with the RPKI data is the 'more nuanced' part of the webpage. 1) Do you just sign? 2) do you sign and also do Origin Validation(OV) for your peers? 3) do you just do OV and not sign your own IP Number Resources?
I think CloudFlare (and other folk doing bgp security work) would like 'everyone' to: 1) sign ROA for their IP number resources 2) enable OV on your peerings 3) prefix filter all of your peerings
I believe that will change the calculus and make it a more difficult sell for technical people to get resources approved to make it happen.
I don't think that's the case... but I'm sure we'll be proven wrong :)
-chris