[AusNOG] BGP rpki
Andy Davidson
andy at nosignal.org
Thu Oct 1 20:02:42 EST 2020
Hi, Alex
Alex Samad wrote:
> Wondering how prevalent is RPKI in transit providers in Oz. Just got an email from exetel to say they are starting a rollout of it.
> Seems like my ROS routers don't have it, seems like they have been talking about back in 2014, still waiting on that feature to be added.
> Curious if all of my transit providers are going to come knocking and asking for me to turn this on ?
It depends what you mean by rolling it out and supporting it. It could mean publishing ROAs for your/their prefixes, or it could mean verifying announcements against the database of published ROAs.
A ROA (Route Origin Authorisation) is a signed digital attestation that an ASN has explicit permission to originate a prefix. You can publish these in MyAPNIC. It is a good idea to do this and to express your intent correctly because once you have published your ROAs it means networks who do ROA verification (what I think you mean by rolling out RPKI) are less likely to accept and propagate hijack attempts for your prefixes. You can also indicate whether a prefix deaggregates should appear in the default free routing table so it's a really good way to limit your exposure to spoof origin attempts.
You don't need your equipment to support the verification of ROAs in order to publish ROAs for your prefixes, nor do you need your equipment to support it if your upstream does. Note, the majority of large networks are today filtering RPKI invalid prefixes. Doing RPKI filtering on your network is a good idea to prevent your customers from sending traffic to prefix hijackers instead of rightful originators.
In other words, their notification means many networks can do nothing, but you should check that your RPKI data (if published) in MyAPNIC is not wrong (or you're going to fall offline), and publish valid RPKI data anyway to protect your customers!
> Plus some quick googling seems to suggest its currently flawed..
Beware quick googling; today's RPKI not full BGPSEC but it's a great step towards preventing accidental and many deliberate hijack attempts.
Andy
More information about the AusNOG
mailing list