[AusNOG] BGP rpki
Narelle Clark
narellec at gmail.com
Fri Oct 2 11:56:02 EST 2020
And to add to this - you'll find it implemented across all IX Australia
exchanges now so if you peer (and you should :-) ) we will be in touch if
there are any routes being dropped. RPKI is in everyone's interest.
all the best
Narelle
On Thu, 1 Oct 2020 at 20:03, Andy Davidson <andy at nosignal.org> wrote:
> Hi, Alex
>
> Alex Samad wrote:
> > Wondering how prevalent is RPKI in transit providers in Oz. Just got an
> email from exetel to say they are starting a rollout of it.
> > Seems like my ROS routers don't have it, seems like they have been
> talking about back in 2014, still waiting on that feature to be added.
> > Curious if all of my transit providers are going to come knocking and
> asking for me to turn this on ?
>
> It depends what you mean by rolling it out and supporting it. It could
> mean publishing ROAs for your/their prefixes, or it could mean verifying
> announcements against the database of published ROAs.
>
> A ROA (Route Origin Authorisation) is a signed digital attestation that an
> ASN has explicit permission to originate a prefix. You can publish these
> in MyAPNIC. It is a good idea to do this and to express your intent
> correctly because once you have published your ROAs it means networks who
> do ROA verification (what I think you mean by rolling out RPKI) are less
> likely to accept and propagate hijack attempts for your prefixes. You can
> also indicate whether a prefix deaggregates should appear in the default
> free routing table so it's a really good way to limit your exposure to
> spoof origin attempts.
>
> You don't need your equipment to support the verification of ROAs in order
> to publish ROAs for your prefixes, nor do you need your equipment to
> support it if your upstream does. Note, the majority of large networks are
> today filtering RPKI invalid prefixes. Doing RPKI filtering on your
> network is a good idea to prevent your customers from sending traffic to
> prefix hijackers instead of rightful originators.
>
> In other words, their notification means many networks can do nothing, but
> you should check that your RPKI data (if published) in MyAPNIC is not wrong
> (or you're going to fall offline), and publish valid RPKI data anyway to
> protect your customers!
>
> > Plus some quick googling seems to suggest its currently flawed..
>
> Beware quick googling; today's RPKI not full BGPSEC but it's a great step
> towards preventing accidental and many deliberate hijack attempts.
>
> Andy
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
--
Narelle
narellec at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20201002/acbb5498/attachment.html>
More information about the AusNOG
mailing list