So this series is about BGP origin
validation. Origin validation was
mentioned previously and elsewhere in
the series about BGP best practices and
it is one of the manners principles that
was discussed elsewhere in this series
as well so let's have a look at what BGP
origin validation is and what it means
how do we know that an autonomous system
is permitted to originate the prefix it
is originating is it just implicit trust
is it because the internet routing
registry says that we can in fact the
internet routing registry as we saw
earlier only documents writing policy
and it also has a large amount of
outdated and incorrect information so
there must be something else available
that lets us validate the BGP right
announcements and this is called route
origin authorization rpki is the
resource public key infrastructure and
that's the certificate infrastructure
for origin and potentially in the future
for path validation we need to be able
to authoritative lis prove who owns an
IP address prefix and which autonomous
system or autonomous systems may
announce it prefix ownership follows the
allocation hierarchy through IANA the
regional registries the internet service
providers and so on we saw that
elsewhere in the introductory part of
this series origin validation uses the
rpki
to detect and prevent Mis origination of
someone else's prefixes and work started
on this around early 2012
yes path validation is future work and
the idea here is to prevent attacks on
BGP somewhere along the heirs path but
first we're going to work on origin of
validation having origin validation
deployed allows us to do the next phases
to secure the routing system the idea
behind origin validation is to prevent
the well-known YouTube accident from a
few years ago and many other worse
incidents and more recent incidents that
have affected the modern internet origin
validation will also prevent most
accidental announcements where network
operators of accidentally announced
incorrect prefixes usually due to
mistyping address base or miss typing
what's listed in BGP filters origin
validation will not prevent malicious
path attacks that's coming and that will
require something known as path
validation and locking the data plane to
the control plane this is really the
third step what is known as as BGPsec.
© Produced by Philip Smith and the Network Startup Resource Center, through the University of Oregon.
Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)
This is a human-readable summary of (and not a substitute for) the license. Disclaimer. You are free to: Share — copy and redistribute the material in any medium or format Adapt — remix, transform, and build upon the material The licensor cannot revoke these freedoms as long as you follow the license terms. Under the following terms: Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. NonCommercial — You may not use the material for commercial purposes. No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.