deploying RPKI based Origin Validation
mark.tinka at seacom.mu
Sat Jul 14 09:03:16 UTC 2018
On 14/Jul/18 09:11, Baldur Norddahl wrote:
> In the RIPE part of the world there is no excuse for not getting RPKI
> correct because RIPE made it so easy. Perhaps the industry could agree on
> enabling RPKI validation on all european circuits for a start?
I think the first step (and what I'd consider to be a quick win) is if
we determined all the prefixes that are being designated Invalid, and
nail down how many of those are Invalid due to the fact that they are
more-specifics announced without a ROA, vs. the parent aggregate which
We would then ask the operators of those prefixes to either withdraw
them (easier, but unlikely) or sign them in the RPKI and create ROA's
for them (more work, but more likely). Going for the latter.
Once that is fixed, and even though the entire BGP world is not running
RPKI, those that are and are dropping Invalids would be 100% certain
that those Invalids are either leaks or hijacks.
I think that will get us 50% of the way there, with the other 50% would
now just be growing community participation in RPKI.
Thankfully, I believe all (or most) of the RIR's support a simple "click
of a button" to say "All prefixes up to a /24 or a /48 of the aggregate
should automatically be ROA'd if the aggregate, itself, is ROA'd". So it
shouldn't be a lot of work to get what is currently broken fixed. And
the beauty, we don't need everyone to participate in the RPKI today for
those that want the benefit right now to enjoy it so.
More information about the NANOG