Networks enforcing RPKI validation

• Previous message (by thread): Networks enforcing RPKI validation
• Next message (by thread): Networks enforcing RPKI validation
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear Eric,

If you don't mind me showering you with some study resources... here we
go!

On Fri, Jun 07, 2019 at 10:58:48AM -0400, Eric Dugas wrote:
> I was wondering if there was a list of networks that enforce RPKI
> validation and dropping invalids.

The last list that was compiled is available here
https://blog.benjojo.co.uk/post/state-of-rpki-in-2018

I expect that by now the list has doubled. We received many anecdotal
reports since then from people having deployed Origin Validation in
their networks. Perhaps if we ask Ben Cartwright-Cox nice enough he can
run a new report for Q2 2019 :-)

> The shortlist I know is: AT&T (since February of this year) 

Which is awesome! AT&T's deployment has definitely lowered the barrier
to deployment for others.

> and of course NTT because of Job

Point of clarificartion: NTT is not there yet, but we are on our way.
NTT does not yet apply RFC 6811 Origin Validation on its EBGP session
and does not yet reject RPKI Invalid BGP announcements.

However, NTT does use RPKI data in its filter generation process, more
information on that topic can be found here:
https://blog.apnic.net/2018/08/01/treating-rpki-roas-as-irr-route6-objects/

The next step will be to use RPKI data to ignore conflicting IRR data,
this way the IRR will be harder to abuse in facilitating
misconfigurations or hijacks. An example of that type of use of RPKI
data can be found here https://ripe78.ripe.net/archives/video/119/
slides: https://ripe78.ripe.net/presentations/137-db_wg_ripe78_prop2018-06_snijders.pdf

After that, we'll also use RPKI data to strengthen our EBGP filters in a
similar way to how AT&T does it. I hope that we'll be done Q1 2020 - but
don't hold me to that date! We move at telco speed sometimes ;-)

An overview of where the industry was and where we're heading can be
found in "Routing Security Roadmap" presentation at
https://nlnog.net/nlnog-day-2018/

Finally - here is a quick and easy browser based tool to attempt to
figure out if the network you are connected to performs RPKI based BGP
Origin Validation (and is default-free) https://ripe.net/s/rpki-test

Kind regards,

Job

• Previous message (by thread): Networks enforcing RPKI validation
• Next message (by thread): Networks enforcing RPKI validation
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]