deploying RPKI based Origin Validation
pl+list at pmacct.net
Mon Jul 16 17:00:59 UTC 2018
Hi Job, All,
It is definitely great to see progress on the deployment side! I realize
that there may be some gaps in the network operator toolchain, and this
may be something i'd like to contribute to.
For network operators to better understand the impact of BGP hijacks in
terms of revenue or volumes of traffic that went missing, it makes perfect
sense if network monitoring tools are aware of which BGP announcements
are invalid or not.
I will look into adding support for the RTR protocol (RFC 6810, RFC
8210) to pmacct ( https://github.com/pmacct/pmacct , http://pmacct.net/ )
and expose the validation state through an extra field (when collecting
routing tables) and primitive (when accounting traffic and correlating
it with BGP data).
Updating the telemetry tools to be fully aware of RPKI validation states
should come in handy!
On Thu, Jul 12, 2018 at 05:50:29PM +0000, Job Snijders wrote:
> Hi all,
> I wanted to share with you that a ton of activity is taking place in the
> Dutch networker community to deploy RPKI based BGP Origin Validation.
> The mantra is "invalid == reject" on all EBGP sessions.
> What's of note here is that we're now seeing the first commercial ISPs
> doing Origin Validation. This is a significant step forward compared to
> what we observed so far (it seemed OV was mostly limited to academic
> institutions & toy networks). But six months ago Amsio (https://www.amsio.com/en/)
> made the jump, and today Fusix deployed (https://fusix.nl/deploying-rpki/).
> We've also seen an uptake of Origin Validation at Internet Exchange
> route servers: AMS-IX and FranceIX have already deployed. I've read that
> RPKI OV is under consideration at a number of other exchanges.
> Other cool news is that Cloudflare launched a Certificate Transparency
> initiative to help keep everyone honest. Announcement at:
> Certificate Transparency is a fascinating tool, really a necessity to
> build confidence in any PKI systems.
> Anyone here working to deploy RPKI based Origin Validation in their
> network and reject invalid announcements? Anything of note to share?
> Kind regards,
More information about the NANOG