NTT/AS2914 enabled RPKI OV 'invalid = reject' EBGP policies

• Previous message (by thread): NTT/AS2914 enabled RPKI OV 'invalid = reject' EBGP policies
• Next message (by thread): NTT/AS2914 enabled RPKI OV 'invalid = reject' EBGP policies
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Many congratulations for getting this deployed, Job!

Now that so many networks are dropping RPKI invalid announcements, for this to really have a practical effect operators should put in the effort to create and maintain ROAs for their route announcements. 

Over the last 10 years, the trend in most regions has been that first a large amount of ROAs were created by the local operator communities. After proving this was a high quality and well maintained data set, operators took the next step to start using RPKI to filter invalids. 

Especially in North America, the order seems to be flipped. While invalids are now being dropped more and more, ROA coverage is currently only at 7% in the US and 2.5% in Canada. Accuracy is at around 95%, so that’s great.

https://www.nlnetlabs.nl/projects/rpki/rpki-analytics/

Please create ROAs!

-Alex

> On 26 Mar 2020, at 01:50, Job Snijders <job at ntt.net> wrote:
> 
> Dear group,
> 
> Exciting news! Today NTT's Global IP Network (AS 2914) enabled RPKI
> based BGP Origin Validation on virtually all EBGP sessions, both
> customer and peering edge. This change positively impacts the Internet
> routing system.
> 
> The use of RPKI technology is a critical component in our efforts to
> improve Internet routing stability and reduce the negative impact of
> misconfigurations or malicious attacks. RPKI Invalid route announcements
> are now rejected in NTT EBGP ingress policies. A nice side effect:
> peerlock AS_PATH filters are incredibly effective when combined with
> RPKI OV.
> 
> For NTT, this is the result of a multiyear project, which included
> outreach, education, collaboration with industry partners, and
> production of open source software shared among colleagues in the
> industry.
> 
> Shout out to Louis & team (Cloudflare) for the open source GoRTR
> software and the OpenBSD project for rpki-client(8).
> 
> I hope some take this news as encouragement to consider RPKI OV
> "invalid == reject"-policies as safe to deploy in their own BGP
> environments too. :-)
> 
> If you have questions, feel free to reach out to me directly or the
> NTT NOC at <noc at ntt.net>.
> 
> Kind regards,
> 
> Job

• Previous message (by thread): NTT/AS2914 enabled RPKI OV 'invalid = reject' EBGP policies
• Next message (by thread): NTT/AS2914 enabled RPKI OV 'invalid = reject' EBGP policies
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]