Hacker News new | ask | show | jobs
by zokier 746 days ago
Well over a decade after publication of RPKI it has been deployed at only 22% of US networks

https://observatory.manrs.org/

There is no justification for that not to be 100% at this point.

With this data at hand, can you really claim that the industry has sucessfully self-regulated itself?
2 comments
icedchai 746 days ago
Legacy prefixes do not support RPKI unless you sign ARIN’s registration agreement and agree to pay. Many early IP address holders (including myself!) have never signed.
link
gonzo 746 days ago
Why pay for something that was never agreed to be so?
link
rixthefox 746 days ago
You don’t have to pay a dime. But don’t expect the rest of the Internet (that DO pay for their resources) to continue to guarantee reachability to your address space.

If you won’t get on board with RPKI/IRR you can’t cry foul when the rest of the Internet is paying the price to be reachable.

I am a resource holder and I pay my dues. I have no problems with paying for that privilege.

Internet access is not an inalienable right. It is a privilege. Even as it’s become increasingly more and more of a utility. Until laws start to reflect that, it is still a privilege at best.

Edit: before someone says anything about the trust anchors. Reminder, There are two overarching namespaces to the Internet. IP and DNS. You are free to ignore the authorities of both but don’t expect the rest of the Internet to play along when you want to use .billybob as your TLD.

link
icedchai 746 days ago
As long as RPKI "unknown" / not-found prefixes are able to be globally routed, I will not pay. I have a legacy ARIN /24 from the 90's. It was cheaper for me to get an ASN and IPv6 block through a RIPE LIR than go through ARIN.

As for IRR, one of my upstreams created an RADB entry for me on behalf of my ASN, so not too concerned there.

link
techsupporter 745 days ago
Your sponsoring LIR for IPv6 space and ASNs can also be your sponsoring LIR for legacy IPv4 assignments: https://www.ripe.net/manage-ips-and-asns/legacy-resources/ri...

You can then issue RPKI ROAs.

link
icedchai 745 days ago
I have heard of this. I would need to transfer my ARIN IPv4 block to RIPE though, right?
link
ozr 745 days ago
Yes. Whether or not a particular standard has been implemented is not interesting. What matters is the result.

Is BGP an attack vector that matters for the vast majority of threat models right now? I would say no. Given that: there is no need for (inevitably) poor regulation.

link
viraptor 745 days ago
If your operation includes communication over internet, bgp hijack is in your threat model (or your threat model is incomplete). I don't understand how "endpoints we care about may become unreachable" is not a big point for everyone. (Unless your business is extremely async and a day of delays is insignificant)
link
ozr 745 days ago
By this logic, I should be concerned about defending against raccoon attacks since they are endemic to my area and I often go outside.

The point is that, in practice, the attacks are so uncommon and mitigated by so many other factors that the cost involved of further mitigation it isn't worth it.

You develop a threat model to specifically get rid of concerns like this; not to list every possible attack vector imaginable.

link