[AusNOG] google potential route hijacked.
Dobbins, Roland
Roland.Dobbins at netscout.com
Tue Nov 13 18:00:14 EST 2018
On 13 Nov 2018, at 13:50, Paul Wilkins wrote:
> If RPKI only had the same chain of trust for in-addr.arpa as the rest
> of DNS does back to iana.
Strong route origin policies via RPKI, plus
draft-azimov-sidrops-aspa-verification-01 &
draft-ietf-grow-rpki-as-cones-00 are ultimately the way to solve this
relatively automagically. In the interim, BCPs and working with major
transits to update them with valid upstream/peer paths so that they can
construct AS_PATH filters are a key defensive measure, as are all the
other route-filtering BCPs, as you note.
And we need BGP-speaker vendors to implement RFC8212 as a safeguard.
--------------------------------------------
Roland Dobbins <roland.dobbins at netscout.com>
More information about the AusNOG
mailing list