Who's running all those tiny RPKI servers?

(blog.apnic.net)

50 points | by enz 5 hours ago

1 comments

  • ipdashc 1 hour ago
    Cool stuff. Though I've never quite understood how RPKI solves route hijacks. The article says it validates that you're allowed to announce a given prefix outright, but I thought the idea behind a BGP hijack was that you just say you have a good route towards a given prefix, and traffic flows through you as a result?
    • patmorgan23 40 minutes ago
      There's two kinds of route hijacks. Origin or path based.

      RPKI addresses who is allowed to originate a prefix. There are other technical changes that need to be implemented to get path validation, this cloud flare blog has a good write up on the issues/solutions.

      https://blog.cloudflare.com/bgp-route-leak-venezuela/

    • hnuser123456 47 minutes ago
      RPKI mainly makes the administrative side of the route database more formal and rigorous than previous internet routing registry implementations. The processes for using them to improve network security are discussed at https://manrs.org/

      They have a neat dashboard at https://observatory.manrs.org/

    • misja111 44 minutes ago
      The RPKI fix is that any node in a rpki tree is signed by the certificate from the authority above it, all the way up until some root certificate that you trust. So you cannot have some party hijacking a prefix, it would not be signed by its parent authority.