[AusNOG] BGP rpki

Randy Cassidy randy.cassidy at iracing.com
Wed Sep 30 01:18:23 EST 2020


Hi Alex,

The ROA is something you create/sign via your regional registry (APNIC in
your case, ARIN for me).  There's nothing you configure on your own routers
as far as announcing your (signed or unsigned) prefixes to your Transit
providers.  The ROA basically says "it is valid for the following AS number
to *originate *the announcement of the following
(IP/prefix_length/max_prefix_length) list.  Networks that implement RPKI
use "out of band" mechanisms to perform the validation of the routes they
receive via BGP.

For example, if you owned 10.11.0.0/16, and your AS number was 65432, your
ROA might say "65432 is allowed to announce 10.11.0.0/16".  You must also
specify the "max prefix length".  I'm fuzzy on this, but I believe the
reason is to prevent other networks from accidentally leaking internally
dis-aggregated blocks of your routes to the outside world.  Since "longer
prefix wins", they could accidentally (or intentionally) force all your
inbound traffic to flow through them.  So if you know that you'll never
announce blocks of your /16 IP space with a prefix length greater than /20,
you'd specify 20 as the max prefix length in your ROA.  If some other
network has internally split you down into /24's, and then leaked those,
any other networks that have implemented route origin validation would
reject them, as they're more specific than you allow.

This is for ARIN, but the fields in each ROA should be the same for APNIC.
https://www.arin.net/resources/manage/rpki/roa_request/

I hope that explanation helps!

Randy

On Tue, Sep 29, 2020 at 10:16 AM Alex Samad <alex at samad.com.au> wrote:

> Hi
>
> I'll answer the last.
>
> So if I am the origin and I use multiple transit providers.  Don't I have
> to sign mine. So I get i have to go to myapnic and setup a ROA.  but don't
> i have to sign my prefix (sorry, i'm new to this), before send this up
> stream. Isn't the verification done by checking the signatures of all of
> the AS.
>
>
> ROS 7 - yes buggy a ... been waiting for multhread bgp for ...... I
> like the platform, but i have given up on them..
>
> Thanks for all of the replies
>
>
> On Tue, 29 Sep 2020 at 19:28, Aftab Siddiqui <aftab.siddiqui at gmail.com>
> wrote:
>
>> Hi Alex,
>> If you are not doing ROV (Route Origin Validation) then you don't have to
>> do anything on your end. Great to hear that Exetel is planning to do
>> validation but that means you have to create ROAs (Route Origin
>> Authorization) on myapnic portal, if you don't have them already.
>>
>> Regards,
>>
>> Aftab A. Siddiqui
>>
>>
>> On Tue, 29 Sep 2020 at 18:46, Alex Samad <alex at samad.com.au> wrote:
>>
>>> Hi
>>>
>>> Wondering how prevalent is RPKI in transit providers in Oz. Just got an
>>> email from exetel to say they are starting a rollout of it.
>>>
>>> Seems like my ROS routers don't have it, seems like they have been
>>> talking about back in 2014, still waiting on that feature to be added.
>>>
>>> Curious if all of my transit providers are going to come knocking and
>>> asking for me to turn this on ?
>>>
>>> Plus some quick googling seems to suggest its currently flawed..
>>>
>>> Thanks
>>> Alex
>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>
>> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20200929/e2601eb4/attachment.html>


More information about the AusNOG mailing list