deploying RPKI based Origin Validation

Job Snijders job at ntt.net
Mon Jul 16 15:26:03 UTC 2018


On Sat, Jul 14, 2018 at 11:03:16AM +0200, Mark Tinka wrote:
> On 14/Jul/18 09:11, Baldur Norddahl wrote:
> > In the RIPE part of the world there is no excuse for not getting
> > RPKI correct because RIPE made it so easy. Perhaps the industry
> > could agree on enabling RPKI validation on all european circuits for
> > a start?
> 
> I think the first step (and what I'd consider to be a quick win) is if
> we determined all the prefixes that are being designated Invalid, and
> nail down how many of those are Invalid due to the fact that they are
> more-specifics announced without a ROA, vs. the parent aggregate which
> is ROA'd.

I calculated this here few days ago
http://instituut.net/~job/rpki-report-2018.07.12.txt

Markus Weber from KPN is generating a daily report here and drew similar
conclusions: https://as286.net/data/ana-invalids.txt Markus scrapes all
routes from the AS 286 PEs and marks the routes for which no valid or
unknown alternative exists as "altpfx=NONE".

> We would then ask the operators of those prefixes to either withdraw
> them (easier, but unlikely) or sign them in the RPKI and create ROA's
> for them (more work, but more likely). Going for the latter.

Or delete the incorrect RPKI ROA. Either way is fine.

> Once that is fixed, and even though the entire BGP world is not
> running RPKI, those that are and are dropping Invalids would be 100%
> certain that those Invalids are either leaks or hijacks.
> 
> I think that will get us 50% of the way there, with the other 50%
> would now just be growing community participation in RPKI.
> 
> Thankfully, I believe all (or most) of the RIR's support a simple
> "click of a button" to say "All prefixes up to a /24 or a /48 of the
> aggregate should automatically be ROA'd if the aggregate, itself, is
> ROA'd". So it shouldn't be a lot of work to get what is currently
> broken fixed. And the beauty, we don't need everyone to participate in
> the RPKI today for those that want the benefit right now to enjoy it
> so.

Perhaps the RIRs should start an outreach program to proactively inform
the owners of those 2,200 invalid route announcements to get them to
either fix or delete the RPKI ROA.

Kind regards,

Job



More information about the NANOG mailing list