[AusNOG] BGP rpki

Alex Samad alex at samad.com.au
Wed Sep 30 08:15:48 EST 2020


Hi Randy

awesome, that's what i wanted to know/confirm. I'm the originator.

Thanks


On Wed, 30 Sep 2020 at 01:18, Randy Cassidy <randy.cassidy at iracing.com>
wrote:

> Hi Alex,
>
> The ROA is something you create/sign via your regional registry (APNIC in
> your case, ARIN for me).  There's nothing you configure on your own routers
> as far as announcing your (signed or unsigned) prefixes to your Transit
> providers.  The ROA basically says "it is valid for the following AS number
> to *originate *the announcement of the following
> (IP/prefix_length/max_prefix_length) list.  Networks that implement RPKI
> use "out of band" mechanisms to perform the validation of the routes they
> receive via BGP.
>
> For example, if you owned 10.11.0.0/16, and your AS number was 65432,
> your ROA might say "65432 is allowed to announce 10.11.0.0/16".  You must
> also specify the "max prefix length".  I'm fuzzy on this, but I believe the
> reason is to prevent other networks from accidentally leaking internally
> dis-aggregated blocks of your routes to the outside world.  Since "longer
> prefix wins", they could accidentally (or intentionally) force all your
> inbound traffic to flow through them.  So if you know that you'll never
> announce blocks of your /16 IP space with a prefix length greater than /20,
> you'd specify 20 as the max prefix length in your ROA.  If some other
> network has internally split you down into /24's, and then leaked those,
> any other networks that have implemented route origin validation would
> reject them, as they're more specific than you allow.
>
> This is for ARIN, but the fields in each ROA should be the same for APNIC.
> https://www.arin.net/resources/manage/rpki/roa_request/
>
> I hope that explanation helps!
>
> Randy
>
> On Tue, Sep 29, 2020 at 10:16 AM Alex Samad <alex at samad.com.au> wrote:
>
>> Hi
>>
>> I'll answer the last.
>>
>> So if I am the origin and I use multiple transit providers.  Don't I have
>> to sign mine. So I get i have to go to myapnic and setup a ROA.  but don't
>> i have to sign my prefix (sorry, i'm new to this), before send this up
>> stream. Isn't the verification done by checking the signatures of all of
>> the AS.
>>
>>
>> ROS 7 - yes buggy a ... been waiting for multhread bgp for ...... I
>> like the platform, but i have given up on them..
>>
>> Thanks for all of the replies
>>
>>
>> On Tue, 29 Sep 2020 at 19:28, Aftab Siddiqui <aftab.siddiqui at gmail.com>
>> wrote:
>>
>>> Hi Alex,
>>> If you are not doing ROV (Route Origin Validation) then you don't have
>>> to do anything on your end. Great to hear that Exetel is planning to do
>>> validation but that means you have to create ROAs (Route Origin
>>> Authorization) on myapnic portal, if you don't have them already.
>>>
>>> Regards,
>>>
>>> Aftab A. Siddiqui
>>>
>>>
>>> On Tue, 29 Sep 2020 at 18:46, Alex Samad <alex at samad.com.au> wrote:
>>>
>>>> Hi
>>>>
>>>> Wondering how prevalent is RPKI in transit providers in Oz. Just got an
>>>> email from exetel to say they are starting a rollout of it.
>>>>
>>>> Seems like my ROS routers don't have it, seems like they have been
>>>> talking about back in 2014, still waiting on that feature to be added.
>>>>
>>>> Curious if all of my transit providers are going to come knocking and
>>>> asking for me to turn this on ?
>>>>
>>>> Plus some quick googling seems to suggest its currently flawed..
>>>>
>>>> Thanks
>>>> Alex
>>>> _______________________________________________
>>>> AusNOG mailing list
>>>> AusNOG at lists.ausnog.net
>>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>>
>>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20200930/6a4e389a/attachment.html>


More information about the AusNOG mailing list