> and also our feelings about Cloudflare attempting to build support in this manner, especially now, during the Corona Virus situation.
Weird angle. Unless the RPKI standard is somehow actively encouraging people to violate social distancing policies, I don't see any connection with Covid-19..
To me this whole article just reads like a network operator complaining that someone else is trying to hold them accountable.
It’s a small business. Their staff could be infected or furloughed, or worse.
In terms of our day to day lives it might feel like the proverbial month of Sundays right now, but for operations teams it’s more like an unending stream of Friday afternoons in terms of sensitivity to making big infrastructure changes.
Yeah, that was how I read it - the impact of getting this wrong is that you break the internet for your customers (and staff, if they're all or mostly WFH) at a time when they're potentially depending on it to eat (e.g. if you're in a vulnerable group and need to order food for delivery) or work.
We've known BGP's been vulnerable in this way for years, so it's a bit of a weird time to actively encourage people to publicly shame their ISPs for being "unsafe".
isbgpsafeyet.com only appeared at 4 p.m BST yesterday, a Friday [1]. It's the timing of that which I took the OP to be commenting on. The GGP mentioned that we're in a month of Friday afternoons, this page dropped literally towards the end of the working day on a Friday afternoon!
As you say, Cloudflare have been promoting RPKI for a couple of years now and it's disappointing that more of the big players haven't implemented it yet but is now the time?
While I am not a fan of some of Cloudflares actions over the years, they have been positive in the RPKI space for the last several years. They've hosted multiple meetings in their offices with some of the largest networks in the world to discuss RPKI strategy and deployment. They've opened sourced software to lower the bar for entry. Their staff was accomdating to other network operators when they rolled out Origin Validation to not black hole parts of the Internet and reached out to networks to let them know of the error to get it fixed. They, like the network I support have been impacted by some of the same hijacks and I share their frustration when major carriers are not only slow to deploy RPKI or have no plan at all (or even a plan to properly filter their customers: see Verizon). They've been a part of the fight along with other folks who are silent (but those who know, know them).
RPKI is no surprise. People have been beating on their upstreams for it for well over a year. Almost all Internet Exchanges have enabled BGP Origin Validation on their route servers (thanks to the efforts of folks like Job from NTT). It's about time we have a site like this that highlights the overall status of it. That said, there's more we can be doing here to provide metrics on RPKI adoption on the Internet.
Maybe bad optics to do it right now but it needed to be released at some point. If they delayed it until we were at the tail end of the curve of Covid-19 infections, this blog could still rely on "we're still recovering from the pandemic" to support the "bad timing" argument.
For some, it's never the time they should do something. ISPs are notorious for dragging their feet and they'd just find new excuses if CF had delayed the publish.
I mean, the bigger ISPs will just ignore it like they've ignored IPv6 ¯\_(ツ)_/¯
On the other hand, AAISP started automatically assigning IPv6 addresses ~9 years ago, so you can hardly accuse them of dragging their feet. The OP was published on a Saturday, after all.
> To me this whole article just reads like a network operator complaining that someone else is trying to hold them accountable.
Not really though, they do agree in the post that something needs to be done, they just don't agree that RPKI is quite the right answer and that Cloudflare's fearmongering scaretactic is the right move to push for RPKI.
IMO it's easy to have an opinion on either side of the fence - based on what you've done (or not done). Cloudflare, for example, committed to RPKI very publicly in 2018 [0]. This article, by ThousandEyes, does a nice job of visualizing the problem [1], published in July of 2019. As I read the parent article to this thread it strikes me as a bit defensive - which smells of a lie of omission (not exactly the whole truth, but conveniently cherry picked). They do very little in the article to state two missing arguments: 1) their timeline to implement RPKI (they only state: "At this stage we are looking in to this. We want to be sure we take the right approach, some of which will involved asking our transit providers what they are doing about it.") and 2) the rationale for not being further along of protecting customers with regard to the topic of RPKI.
They also grab Coronovirus as a rationale for doing nothing right now:
"Since this has now happened a few times, we felt it worth giving some more information that may be useful to customers and others who've seen these tweets (either directed at us, or at other ISPs), explaining a bit about what BGP is and how RPKI can extend it, and also our feelings about Cloudflare attempting to build support in this manner, especially now, during the Corona Virus situation."
If you look at this NANOG thread [2] nobody is complaining about ATT announcing they have implemented RPKI. So is there a negative downside? No. Has CloudFlare pushed some carriers into an awkward position given they are showcasing the true state of carriers as it pertains to route security in BGP? Yes. Andrews & Arnold are trying to tell their customers that their safety is paramount. Yet, they don't have a timeline to address the problem that other carriers have spent considerable time implementing over the last couple years. So, while Andrews & Arnold may be a great ISP - are they above public disclosure of an area they need to improve? No.
I applaud CloudFlare for showing end users which carriers are not spending time and resources on doing their due diligence to protect their customers. Especially business customers who rely on their parent AS to operate their business safely. Andrews & Arnold's response is suspect at best given their subjective response to the "why" behind why they've chosen to do nothing.
Finally - beyond CloudFlare NIST has been publishing these statistics for much longer. Just because CloudFlare has shown light on the topic - does not mean they are the bad actor. There are plenty of other outlets that have been highly supportive of these deployments - NIST [3] and RIPE [4], among very vocal proponents.
So, after parsing the reality of the values of RPKI for a small amount of time - the question around why Andrews & Arnold have chosen to do nothing feels different and, in my opinion, even more appropriate. Beyond that their response feels very hollow and weak on the technicalities which have put them in a spotlight they'd rather not deal with right now.
Not really - at the moment all businesses are having to readjust efforts and work with less resources available.
They don’t want to jump into rash decisions with minimal staff or staff dispersed across home locations and not able to work as effectively as normal - which could lead to broken BGP routes.
My home ISP (RCN) also hasn't turned IPV6 on yet either. However, they turned on RPKI between when I tested IsBGPSafeYet.com in the morning and evening.
It doesn't only read like a asinine complaint, it actually is. "How dare someone highlight what we've left undone"
Saying things like "it's scaring our users", "others are not using it", "it's bad timing", "transit providers should be filtering", no actual non-emotional arguments why they aren't doing it and only shifting the responsibility to secure the internet. I'm too done with companies like that.
Weird angle. Unless the RPKI standard is somehow actively encouraging people to violate social distancing policies, I don't see any connection with Covid-19..
To me this whole article just reads like a network operator complaining that someone else is trying to hold them accountable.