A few questions regarding about RPKI/invalids

Drew Weaver drew.weaver at thenap.com
Thu Mar 31 17:53:49 UTC 2022


Want to give credit to 3356, after I contacted them they eliminated all of the bad routes coming in via legacy Global Crossing.

-Drew

-----Original Message-----
From: Job Snijders <job at fastly.com> 
Sent: Wednesday, March 30, 2022 10:33 AM
To: Drew Weaver <drew.weaver at thenap.com>
Cc: 'nanog at nanog.org' <nanog at nanog.org>
Subject: Re: A few questions regarding about RPKI/invalids

On Wed, Mar 30, 2022 at 01:29:25PM +0000, Drew Weaver wrote:
> Ex 45.176.191.0/24   3356 3549 11172 270150
> 
> RPKI ROA entry for 45.176.191.0/24-24
>   Origin-AS: 265621
> 
> Two questions:
> 
> First, are you also seeing this on this specific route?

It is visible in a few places, but the 61% score in for example RIPE stat is very low, which is a strong hint some kind of issue exists:
https://urldefense.proofpoint.com/v2/url?u=https-3A__stat.ripe.net_ui2013_45.176.191.0-252F24-23tabId-3Drouting&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=lYqCT_cLHEX_5kNdAyPNFZ0xb8PC2MWeYQvGDwUnkAg&s=a_zBm6uyGLeXstr_JYZejbgBz1sOSpo4IxwKZ5YOoT0&e=

> Second, is there a certain number of "expected" invalid routes? (not 
> including unknowns)

Through large transit providers that do RPKI ROV with 'invalid == reject' you'll generally see less than a 100 invalids at any given time (1299, 174, 3257, 3303, 6830, etc).

Then there are large transit providers who (as far as the public record is concerned) have not yet deployed RPKI ROV on their EBGP edges. Via AS
6762 I see ~ 2,300 invalids, and via AS 6461 about 3,000 invalids.

For historical perspective: this 3,000 upperbound number used to be ~
6,000 back in the 'pre RPKI era' in 2018/2019.

> Third, how are you handling specifically the large number of routes 
> from 3356 3549 which invalid origin AS? Are you just "letting the 
> bodies hit the floor"? or are you carving those out somehow?

I'd reject them. Why carve out an exception merely because the number is 'large'? :-)

Kind regards,

Job


More information about the NANOG mailing list