(no title)

Yeah, that was how I read it - the impact of getting this wrong is that you break the internet for your customers (and staff, if they're all or mostly WFH) at a time when they're potentially depending on it to eat (e.g. if you're in a vulnerable group and need to order food for delivery) or work.

We've known BGP's been vulnerable in this way for years, so it's a bit of a weird time to actively encourage people to publicly shame their ISPs for being "unsafe".

IMO it's easy to have an opinion on either side of the fence - based on what you've done (or not done). Cloudflare, for example, committed to RPKI very publicly in 2018 [0]. This article, by ThousandEyes, does a nice job of visualizing the problem [1], published in July of 2019. As I read the parent article to this thread it strikes me as a bit defensive - which smells of a lie of omission (not exactly the whole truth, but conveniently cherry picked). They do very little in the article to state two missing arguments: 1) their timeline to implement RPKI (they only state: "At this stage we are looking in to this. We want to be sure we take the right approach, some of which will involved asking our transit providers what they are doing about it.") and 2) the rationale for not being further along of protecting customers with regard to the topic of RPKI.

They also grab Coronovirus as a rationale for doing nothing right now:

"Since this has now happened a few times, we felt it worth giving some more information that may be useful to customers and others who've seen these tweets (either directed at us, or at other ISPs), explaining a bit about what BGP is and how RPKI can extend it, and also our feelings about Cloudflare attempting to build support in this manner, especially now, during the Corona Virus situation."

If you look at this NANOG thread [2] nobody is complaining about ATT announcing they have implemented RPKI. So is there a negative downside? No. Has CloudFlare pushed some carriers into an awkward position given they are showcasing the true state of carriers as it pertains to route security in BGP? Yes. Andrews & Arnold are trying to tell their customers that their safety is paramount. Yet, they don't have a timeline to address the problem that other carriers have spent considerable time implementing over the last couple years. So, while Andrews & Arnold may be a great ISP - are they above public disclosure of an area they need to improve? No.

I applaud CloudFlare for showing end users which carriers are not spending time and resources on doing their due diligence to protect their customers. Especially business customers who rely on their parent AS to operate their business safely. Andrews & Arnold's response is suspect at best given their subjective response to the "why" behind why they've chosen to do nothing.

Finally - beyond CloudFlare NIST has been publishing these statistics for much longer. Just because CloudFlare has shown light on the topic - does not mean they are the bad actor. There are plenty of other outlets that have been highly supportive of these deployments - NIST [3] and RIPE [4], among very vocal proponents.

So, after parsing the reality of the values of RPKI for a small amount of time - the question around why Andrews & Arnold have chosen to do nothing feels different and, in my opinion, even more appropriate. Beyond that their response feels very hollow and weak on the technicalities which have put them in a spotlight they'd rather not deal with right now.

[0] https://blog.cloudflare.com/rpki/ [1] https://blog.thousandeyes.com/visualizing-the-benefits-of-rp... [2] https://mailman.nanog.org/pipermail/nanog/2019-February/thre... [3] https://rpki-monitor.antd.nist.gov/#rpki_adopters [4] https://labs.ripe.net/Members/antony_stergiopoulos/results-o...

My home ISP (RCN) also hasn't turned IPV6 on yet either. However, they turned on RPKI between when I tested IsBGPSafeYet.com in the morning and evening.