On 20 Jan 2012, at 10:38, Yang Xiang wrote:
RPKI is great.
But, firstly, ROA doesn't cover all the prefixes now, we need an alternative service to alert hijackings.
Or to sign your prefixes.
secondly, ROA can only secure the 'Origin AS' of a prefix,
That's true.
while Argus can discover potential hijackings caused by anomalous AS path.
Can you explain how?
After ROA and BGPsec deployed in the entire Internet (or, in all of your network), Argus will stop the service :)
I was just suggesting to add a more deterministic way to detecting hijacks. Regards, as
2012/1/20 Arturo Servin <aservin@lacnic.net>
You could use RPKI and origin validation as well.
We have an application that does that.
http://www.labs.lacnic.net/rpkitools/looking_glass/
For example you can periodically check if your prefix is valid:
http://www.labs.lacnic.net/rpkitools/looking_glass/rest/valid/cidr/200.7.84....
If it were invalid for a possible hijack it would look like:
http://www.labs.lacnic.net/rpkitools/looking_glass/rest/invalid/cidr/200.31....
Or you can just query for any state:
http://www.labs.lacnic.net/rpkitools/looking_glass/rest/all/cidr/200.31.12.0...
Regards, as
-- _________________________________________ Yang Xiang. Ph.D candidate. Tsinghua University Argus: argus.csnet1.cs.tsinghua.edu.cn