Stéphane BortzmeyerGood morning, Shenzhen! Fifth day of #IETF125 https://www.ietf.org/meeting/125/ making the network better everyday.
Today, for me, deep dive in routing security and the plenary (IETF talking about IETF).
Now, technical deep dive on routing security. Where are we on the security of Internet routing? Are BGP route hijackings a thing of the past?
Start with Geoff Huston's memories of a time where there was no RIR and people came to ISPs saying "this is my IP prefix, please route it", and it was difficult for the ISP to be the judge if two people claimed having the same prefix.
"Internet non-successes": Spam, dDoS, BCP38, secure end systems, secure networks, secure routing.
"Where there are common benefits but not individual benefits" [that's capitalism, see environmental issues]
"Internet routing security is hard [partly] because the costs are not borne by the beneficiaries" [capitalism, again]
"Internet routing security is also hard because humans underestimate risks. Otherwise, nobody would live in earthquake-threatened California."
There were and are many technical solutions to Internet routing security (IRR, ROV, BGPsec, Peerlock...). The last one is ASPA. https://datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-profile/
A Profile for Autonomous System Provider Authorization
This document defines a Cryptographic Message Syntax (CMS) protected content type for Autonomous System Provider Authorization (ASPA) objects for use with the Resource Public Key Infrastructure (RPKI). An ASPA is a digitally signed object through which the issuer (the holder of an Autonomous System identifier), can authorize one or more other Autonomous Systems (ASes) as its upstream providers. When validated, an ASPA's eContent can be used for detection and mitigation of route leaks.
Job Snijders "my first experience of routing security was a German person on the phone yelling at me"
[He accidentally hijacked the german person's IP space with fat fingering.]
Job's conclusion is that RPKI works fine and that the routing security problem is basically solved (we "just" have to improve it). https://www.fastly.com/blog/war-story-rpki-is-working-as-intended
"RPKI is a distributed database and therefore has all the challenges of distributed databases"
"Every second, two new RPKI objects come into existence" "Every 24 hours, 33 % of the database changed" Total size is 1 Gbyte.
TIL "upserted" (for updated or inserted)
To explore the #RPKI database: https://rpkiviews.org/
#IETF125 plenary: 809 onsite participants (largest IETF in Asia)
The country with the most participants is... China.
Call for volunteers for the Moderator Team (RFC 9945).
[And then the network failed and we lost the remote presenter.]
Do not forget there is an IETF online shop :-) https://store.ietf.org/
And of course the mandatory discussion about physical meeting location (Indian people complaining about China visas). As usual, no solution works for everybody.
The autumn meeting in the USA also raises a lot of concerns.
Dan York@bortzmeyer The fundamental challenge at the CATALIST BoF AT #IETF125 was that you had people bringing these ideas about how the #IETF needs to do something about this bit of #AI … but they missed these basic things:
- WHAT PROBLEM NEEDS SOLVING?
- In solving the problem, what is not possible to do with existing protocols / systems / services?
There very well MAY be AI-related work that would make sense for the IETF to do.. but you need to start with the problem first!
John Shaft@bortzmeyer No #DNS "drinkware" :'(
Nivex 🐧 📻@bortzmeyer @danyork This shop is not in compliance with RFC 6540 / BCP 177.