5 comments

[ 3.0 ms ] story [ 17.7 ms ] thread
Betteridge's law of headlines strikes again
The "test your ISP" talks about Fastly and how it is failing.... is this test broken? Does it just test their own CDN front?
RPKI helps solve the vulnerabilities of BGP, but introduces issues of centralization. Is this the reason some of the major ISPs haven't deployed it yet?
Wow, AT&T Uverse (DSL) and AT&T Direct Stream (fiber) are not BGP-Safe.
Not a surprise. Almost no ISPs are truly BGP safe. If they were, most of the internet would be unreachable, because most routes (60%) are not signed: https://rpki-monitor.antd.nist.gov/ROV/20220730.06/All/All/4

Certainly some percentage of this is people being lazy. Though many routes will never be signed because the owners of these routes simply do not have the capability. For example, ARIN requires you to be a "member" to sign your routes. A good percentage of routes are held by "legacy" holders who have no interest in paying for their free address space just to "sign" them: https://www.arin.net/resources/guide/legacy/services/

IMO the US government (the original sponsor of IANA) should have compelled ICANN / IANA to make RPKI available to everyone when the regional address registries were created. They could've required all regional registries to make future security methods (like RPKI) available regardless of "membership" status, including legacy holders, for the good of the Internet. Unfortunately, that ship has sailed.