RPKI helps solve the vulnerabilities of BGP, but introduces issues of centralization. Is this the reason some of the major ISPs haven't deployed it yet?
Certainly some percentage of this is people being lazy. Though many routes will never be signed because the owners of these routes simply do not have the capability. For example, ARIN requires you to be a "member" to sign your routes. A good percentage of routes are held by "legacy" holders who have no interest in paying for their free address space just to "sign" them: https://www.arin.net/resources/guide/legacy/services/
IMO the US government (the original sponsor of IANA) should have compelled ICANN / IANA to make RPKI available to everyone when the regional address registries were created. They could've required all regional registries to make future security methods (like RPKI) available regardless of "membership" status, including legacy holders, for the good of the Internet. Unfortunately, that ship has sailed.
5 comments
[ 3.0 ms ] story [ 17.7 ms ] threadCertainly some percentage of this is people being lazy. Though many routes will never be signed because the owners of these routes simply do not have the capability. For example, ARIN requires you to be a "member" to sign your routes. A good percentage of routes are held by "legacy" holders who have no interest in paying for their free address space just to "sign" them: https://www.arin.net/resources/guide/legacy/services/
IMO the US government (the original sponsor of IANA) should have compelled ICANN / IANA to make RPKI available to everyone when the regional address registries were created. They could've required all regional registries to make future security methods (like RPKI) available regardless of "membership" status, including legacy holders, for the good of the Internet. Unfortunately, that ship has sailed.