IdeaWell

Project ideas from Hacker News discussions.

Is BGP safe yet?

Original Article

Hacker News Discussion

📝 Discussion Summary (Click to expand)

1. RPKI adoptionis still limited and seen as a cost‑driven hurdle

"They may be worried that their larger clients don't have things configured correctly, and they don't want to break things for them." – dec0dedab0de

2. BGP hijacks can be abused to spoof websites and obtain fraudulent certificates

"You can use BGP hijacks to spoof another website. You just need to get a publicly trusted CA to mint a certificate for your new site." – swisniewski

3. The “31 safe” figure is misleading without weighting by size or traffic > "Counting networks passes for journalism, and 31 is noise unless you weight each entry by size and traffic split." – asveikau

These three themes capture the main concerns voiced in the discussion: the uneven rollout of RPKI, the real‑world attack vectors enabled by insecure BGP, and the criticism that the current safety metric is not a reliable indicator of overall network security.

🚀 Project Ideas

Generating project ideas…

SafeISPs Dashboard

Summary

  • Interactive web dashboard that aggregates BGP‑safety data and lets users filter unsafe networks by country, provider type, and traffic size.
  • Provides a simple “Is my ISP safe?” checklist and a shareable export of results.

Details

Key Value
Target Audience End‑users, researchers, security enthusiasts
Core Feature Filterable list with export and email alerts
Tech Stack React + Vite, Node.js/Express, PostgreSQL, bgpkit + rpki‑validator
Difficulty Medium
Monetization Revenue-ready: $5/mo for premium alerts

Notes

  • HN users repeatedly asked for a “table you could filter by country, provider type … based on real results from users”.
  • Quote from tialaramex: “It would be neat to have a table you could filter by country, provider type (cloud/isp etc) based on real results from users.”
  • Potential for discussion around weighting by ISP size and traffic concentration.

BGP Safety CLI Toolkit

Summary

  • A command‑line utility that ISP engineers can run to verify RPKI‑ROA and ASPA validity for their own network prefixes.
  • Generates concise reports and integrates with CI/CD pipelines for continuous safety monitoring.

Details

Key Value
Target Audience ISP network operators, security engineers, automation teams
Core Feature Real‑time validation of ROA/ASPA status with detailed failure reasons
Tech Stack Go, Python bindings, libraries go-rpki, aspa-validator, JSON output
Difficulty Medium
Monetization Revenue-ready: SaaS add‑on subscription ($0.02 per validated prefix)

Notes

  • Community comment hrmtst93837 highlighted the need to test ASPA‑invalid prefixes alongside ROA‑invalid ones.
  • Quote from stefan_: “They may be worried that their larger clients don't have things configured correctly…” – the tool addresses that confidence gap. - Enables practical utility for testing before any production rollout of RPKI.

RPKI Coverage Monitoring Service

Summary- SaaS platform that continuously monitors RPKI status across all known ASNs, aggregates traffic‑weighted safety scores, and notifies subscribers of status changes.

  • Offers a public API for downstream services to incorporate safety metrics.

Details

Key Value
Target Audience ISPs, CDNs, cloud providers, security analysts
Core Feature Automated polling, weighted impact scoring, alerting via webhooks/email
Tech Stack Python (FastAPI), Celery, PostgreSQL, Redis, Prometheus‑style metrics endpoint
Difficulty High
Monetization Revenue-ready: $0.01 per monitored ASN per month

Notes

  • Discussion noted that “31 is a misleadingly positive picture” due to weighting by size (asveikau). This service adds proper weighting.
  • Quote from tialaramex: “Maybe they’ve been more than ‘cautious’ enough at this point and should just implement RPKI.” The service provides the monitoring to confirm that.
  • Sparks conversation about expanding beyond ROA checks to ASPA and providing actionable alerts.

Read Later