[AusNOG] BGP rpki

Jett Jackson Jett at Lumity.com.au
Tue Sep 29 19:06:34 EST 2020


I can testify to RoS v7 being garbage,

I started configuring our network on it and was pulling hair out at the half baked BGP options

Our upstream does RPKI filtering so I don't see the need to configure it directly.



Jett Jackson
Hosting and Automation Lead

E   Jett at LUMITY.com.au
T   1300 LUMITY (1300 586 489)
W  www.LUMITY.com.au
A   PO BOX 4089 | Success, WA 6964



-----Original Message-----
From: AusNOG <ausnog-bounces at lists.ausnog.net> On Behalf Of Christopher Hawker
Sent: 29 September 2020 5:03 PM
To: Alex Samad <alex at samad.com.au>
Cc: Ausnog <ausnog at lists.ausnog.net>
Subject: Re: [AusNOG] BGP rpki

Hi Alex,

Mikrotik’s RouterOS v7 apparently is supposed to support RPKI, however as you know Mikrotik has been talking about v7 for years. The current beta version is severely broken to the point where it is surprising it made it to the beta stage.

From my understanding (and I’m sure I’ll be corrected if my knowledge is incorrect), RPKI is implemented independently of any upstream or downstream peers. If you only use Carrier A and you announce to them a prefix that has an invalid ROA, if they have RPKI configured they will drop that route, thus preventing access. The carrier can tell you that you need to have valid ROAs for your prefixes to be routable, however implementing RPKI on your own network is independent of any carrier.

The status of RouterOS is causing me to consider using VyOS as an alternate solution.

CH.

> On 29 Sep 2020, at 6:47 pm, Alex Samad <alex at samad.com.au> wrote:
> 
> 
> Hi
> 
> Wondering how prevalent is RPKI in transit providers in Oz. Just got an email from exetel to say they are starting a rollout of it.
> 
> Seems like my ROS routers don't have it, seems like they have been talking about back in 2014, still waiting on that feature to be added.
> 
> Curious if all of my transit providers are going to come knocking and asking for me to turn this on ?
> 
> Plus some quick googling seems to suggest its currently flawed..
> 
> Thanks
> Alex
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog


More information about the AusNOG mailing list