@riskybiz in the last weekly when talking about the white house jumping into RPKI, there was a comment to the effect of “nobody will want to do all the pki infra except .gov, so this should help”
Maybe I got the wrong impression but as an operator RPKI is not in need of pki, it’s in need of enforcement. The solution has two sides; signed announcements (ROAs) from the originator, and Validating policy enforcement (ROV) done by each internet router. The signing part is very popular and most ASNs do this now. The RIRs (like RIPE) do this in the place where you manage your IPs, so it’s very easy.
The problem is how few people deploy the origin validation part for prefixes they learn. Doug Madory posted an article on APNIC blog in April (https://blog.apnic.net/2024/05/08/rpki-rov-deployment-reaches-major-milestone) showing how this probably over 50% now, but it’s stagnated for a while now.
Getting that last 50% is gunna need a bigger stick, so govt getting involved is a start, but the problem isn’t infra level, it’s ASNs not being bothered…
Maybe I got the wrong impression but as an operator RPKI is not in need of pki, it’s in need of enforcement. The solution has two sides; signed announcements (ROAs) from the originator, and Validating policy enforcement (ROV) done by each internet router. The signing part is very popular and most ASNs do this now. The RIRs (like RIPE) do this in the place where you manage your IPs, so it’s very easy.
The problem is how few people deploy the origin validation part for prefixes they learn. Doug Madory posted an article on APNIC blog in April (https://blog.apnic.net/2024/05/08/rpki-rov-deployment-reaches-major-milestone) showing how this probably over 50% now, but it’s stagnated for a while now.
Getting that last 50% is gunna need a bigger stick, so govt getting involved is a start, but the problem isn’t infra level, it’s ASNs not being bothered…
Proton Mail
Anirvan Chatterjee