On Sat, Apr 28, 2012 at 01:17:10PM +0300, Saku Ytti <saku@ytti.fi> wrote a message of 27 lines which said:
I think ROVER is better solution, doesn't need any changes to BGP just little software magic when accepting routes.
I like Rover but RPKI+ROA does not change BGP either (it will be a different story with BGPsec).
People might scared to rely on DNS on accepting routes, but is this really an issue?
RPKI+ROA depends on DNS too, since rsync://rpki.ripe.net/repository will work only if DNS works. Not a problem in practice, since route origins do not change every minute and the validating ROA cache can work even if it can no longer update its data. Same thing with Rover: temporary glitches in the DNS are not a practical problem (the router keeps the old info).
routes which fail authorization are logged but accepted if there wasn't pre-existing covering route. Only drop routes if they fail authorization _AND_ there is pre-existing covering route.
It is a bit more complicated: more-specific attacks, and so on. But, yes, you're right. As Alex Band says, Rover, RPKI and the IRR make (authenticated) statements about route origins. You then do what you want (what your boss wants? what the FBI wants?) with these statements (route-map, etc).
participants (1)
-
Stephane Bortzmeyer