So this series is about BGP origin validation. Origin validation was mentioned previously and elsewhere in the series about BGP best practices and it is one of the manners principles that was discussed elsewhere in this series as well so let's have a look at what BGP origin validation is and what it means how do we know that an autonomous system is permitted to originate the prefix it is originating is it just implicit trust is it because the internet routing registry says that we can in fact the internet routing registry as we saw earlier only documents writing policy and it also has a large amount of outdated and incorrect information so there must be something else available that lets us validate the BGP right announcements and this is called route origin authorization rpki is the resource public key infrastructure and that's the certificate infrastructure for origin and potentially in the future for path validation we need to be able to authoritative lis prove who owns an IP address prefix and which autonomous system or autonomous systems may announce it prefix ownership follows the allocation hierarchy through IANA the regional registries the internet service providers and so on we saw that elsewhere in the introductory part of this series origin validation uses the rpki to detect and prevent Mis origination of someone else's prefixes and work started on this around early 2012 yes path validation is future work and the idea here is to prevent attacks on BGP somewhere along the heirs path but first we're going to work on origin of validation having origin validation deployed allows us to do the next phases to secure the routing system the idea behind origin validation is to prevent the well-known YouTube accident from a few years ago and many other worse incidents and more recent incidents that have affected the modern internet origin validation will also prevent most accidental announcements where network operators of accidentally announced incorrect prefixes usually due to mistyping address base or miss typing what's listed in BGP filters origin validation will not prevent malicious path attacks that's coming and that will require something known as path validation and locking the data plane to the control plane this is really the third step what is known as as BGPsec.
© Produced by Philip Smith and the Network Startup Resource Center, through the University of Oregon.
Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)
This is a human-readable summary of (and not a substitute for) the license. Disclaimer. You are free to: Share — copy and redistribute the material in any medium or format Adapt — remix, transform, and build upon the material The licensor cannot revoke these freedoms as long as you follow the license terms. Under the following terms: Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. NonCommercial — You may not use the material for commercial purposes. No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.