[HN Gopher] How AWS is helping to secure internet routing ___________________________________________________________________ How AWS is helping to secure internet routing Author : mcbain Score : 42 points Date : 2021-01-13 20:11 UTC (2 hours ago) (HTM) web link (aws.amazon.com) (TXT) w3m dump (aws.amazon.com) | jgrahamc wrote: | See also https://isbgpsafeyet.com/ and | https://blog.cloudflare.com/is-bgp-safe-yet-rpki-routing-sec... | ed25519FUUU wrote: | ISPs need this big time. | ericpauley wrote: | See also: https://blog.cloudflare.com/rpki/ (2018) | dangerboysteve wrote: | listened to a good podcast about this a while back | | https://softwareengineeringdaily.com/2020/12/02/bgp-with-and... | rossdavidh wrote: | Well, I feel so much more secure about that, now. | ancarda wrote: | >We are happy to have over 99% of our IPv4 and IPv6 -Space | covered under a Route Origination Authorization, and that we are | right now dropping RPKI invalid routes in every single Point-of- | Presence for AS16509. | | Does anyone know if AWS is going to push the remaining 1% to | implement ROA? | | Also, it sounds like an unsigned route - which I think most BGP | announcements are - is still accepted, right? Any idea when we | can start to require routes be signed? | kitteh wrote: | There can be legitimate use cases why a network maybe have a | very few amount of prefixes not signed or even invalid: | canaries and beacons. | | For example, running tests to a signed, unsigned and invalid | prefix can provide insight into how other networks are routing | to them. | | One example is a beacon to probe to determine if a network has | enabled origin validation. Failure to connect, or a change in | the routing path can provide insight into which networks on the | internet have enabled origin validation. | wmf wrote: | Making RPKI mandatory is like turning off IPv4 after everyone | has adopted IPv6. | jtdev wrote: | Does this give AWS any ability to block/censor or influence | access to segments of the internet that they might not | politically "approve" of? | advisedwang wrote: | No. If anything this makes it harder for anyone to block | segments of the internet, by ensuring the integrity of routing | to any given netblock. | jtdev wrote: | Who is the authority on the integrity of routing? | colde wrote: | The owner of the netblock. | superkuh wrote: | The certificate authority that signs the routes. So yeah, | this will centralize control of routing and expose it to | things like government censorship and corporation | exploitation. Sometimes the wild west is better than an | authoritarian government. | | Like DNSSEC this is only good for megacorps and | nationstates. If anything it will expose human people to | more abuse and exploitation. | ancarda wrote: | Has this happened as HTTPS adoption has increased? Do you | believe BGP RPKI will be different? | | A lot of threads about rising use of encryption seem to | have this fear - that it will be used against us at some | point, and I'd really like to understand where this fear | comes from | | Even taking a recent example of Parler; as far as I know | it had HTTPS support and the corresponding X.509 cert was | never revoked - instead hosting and I think the domain | was terminated | jtdev wrote: | It seems like we should be more focused on the | possibility of this being abused rather than asking if | it's been abused _yet_. | bawolff wrote: | Amazon at any point can create a firewall (it would be business | suicide however to do so for geopolitical reasons). This | however has nothing to do with that. ___________________________________________________________________ (page generated 2021-01-13 23:00 UTC)