[HN Gopher] How AWS is helping to secure internet routing
___________________________________________________________________
How AWS is helping to secure internet routing
Author : mcbain
Score : 42 points
Date : 2021-01-13 20:11 UTC (2 hours ago)
(HTM) web link (aws.amazon.com)
(TXT) w3m dump (aws.amazon.com)
| jgrahamc wrote:
| See also https://isbgpsafeyet.com/ and
| https://blog.cloudflare.com/is-bgp-safe-yet-rpki-routing-sec...
| ed25519FUUU wrote:
| ISPs need this big time.
| ericpauley wrote:
| See also: https://blog.cloudflare.com/rpki/ (2018)
| dangerboysteve wrote:
| listened to a good podcast about this a while back
|
| https://softwareengineeringdaily.com/2020/12/02/bgp-with-and...
| rossdavidh wrote:
| Well, I feel so much more secure about that, now.
| ancarda wrote:
| >We are happy to have over 99% of our IPv4 and IPv6 -Space
| covered under a Route Origination Authorization, and that we are
| right now dropping RPKI invalid routes in every single Point-of-
| Presence for AS16509.
|
| Does anyone know if AWS is going to push the remaining 1% to
| implement ROA?
|
| Also, it sounds like an unsigned route - which I think most BGP
| announcements are - is still accepted, right? Any idea when we
| can start to require routes be signed?
| kitteh wrote:
| There can be legitimate use cases why a network maybe have a
| very few amount of prefixes not signed or even invalid:
| canaries and beacons.
|
| For example, running tests to a signed, unsigned and invalid
| prefix can provide insight into how other networks are routing
| to them.
|
| One example is a beacon to probe to determine if a network has
| enabled origin validation. Failure to connect, or a change in
| the routing path can provide insight into which networks on the
| internet have enabled origin validation.
| wmf wrote:
| Making RPKI mandatory is like turning off IPv4 after everyone
| has adopted IPv6.
| jtdev wrote:
| Does this give AWS any ability to block/censor or influence
| access to segments of the internet that they might not
| politically "approve" of?
| advisedwang wrote:
| No. If anything this makes it harder for anyone to block
| segments of the internet, by ensuring the integrity of routing
| to any given netblock.
| jtdev wrote:
| Who is the authority on the integrity of routing?
| colde wrote:
| The owner of the netblock.
| superkuh wrote:
| The certificate authority that signs the routes. So yeah,
| this will centralize control of routing and expose it to
| things like government censorship and corporation
| exploitation. Sometimes the wild west is better than an
| authoritarian government.
|
| Like DNSSEC this is only good for megacorps and
| nationstates. If anything it will expose human people to
| more abuse and exploitation.
| ancarda wrote:
| Has this happened as HTTPS adoption has increased? Do you
| believe BGP RPKI will be different?
|
| A lot of threads about rising use of encryption seem to
| have this fear - that it will be used against us at some
| point, and I'd really like to understand where this fear
| comes from
|
| Even taking a recent example of Parler; as far as I know
| it had HTTPS support and the corresponding X.509 cert was
| never revoked - instead hosting and I think the domain
| was terminated
| jtdev wrote:
| It seems like we should be more focused on the
| possibility of this being abused rather than asking if
| it's been abused _yet_.
| bawolff wrote:
| Amazon at any point can create a firewall (it would be business
| suicide however to do so for geopolitical reasons). This
| however has nothing to do with that.
___________________________________________________________________
(page generated 2021-01-13 23:00 UTC)