[AusNOG] BGP rpki
Randy Cassidy
randy.cassidy at iracing.com
Wed Sep 30 12:21:19 EST 2020
Glad that helped, Alex.
The recent thread today about Telstra announcing /24s out of someone else's
IP space is a perfect example of this in action (if Telstra was making
those announcements outside their own network).
If the provider originating those blocks had created ROA records (I
checked, and they had not), it would have reduced the damage.
Randy
On Tue, Sep 29, 2020, 6:15 PM Alex Samad <alex at samad.com.au> wrote:
> Hi Randy
>
> awesome, that's what i wanted to know/confirm. I'm the originator.
>
> Thanks
>
>
> On Wed, 30 Sep 2020 at 01:18, Randy Cassidy <randy.cassidy at iracing.com>
> wrote:
>
>> Hi Alex,
>>
>> The ROA is something you create/sign via your regional registry (APNIC in
>> your case, ARIN for me). There's nothing you configure on your own routers
>> as far as announcing your (signed or unsigned) prefixes to your Transit
>> providers. The ROA basically says "it is valid for the following AS number
>> to *originate *the announcement of the following
>> (IP/prefix_length/max_prefix_length) list. Networks that implement RPKI
>> use "out of band" mechanisms to perform the validation of the routes they
>> receive via BGP.
>>
>> For example, if you owned 10.11.0.0/16, and your AS number was 65432,
>> your ROA might say "65432 is allowed to announce 10.11.0.0/16". You
>> must also specify the "max prefix length". I'm fuzzy on this, but I
>> believe the reason is to prevent other networks from accidentally leaking
>> internally dis-aggregated blocks of your routes to the outside world.
>> Since "longer prefix wins", they could accidentally (or intentionally)
>> force all your inbound traffic to flow through them. So if you know that
>> you'll never announce blocks of your /16 IP space with a prefix length
>> greater than /20, you'd specify 20 as the max prefix length in your ROA.
>> If some other network has internally split you down into /24's, and then
>> leaked those, any other networks that have implemented route origin
>> validation would reject them, as they're more specific than you allow.
>>
>> This is for ARIN, but the fields in each ROA should be the same for APNIC.
>> https://www.arin.net/resources/manage/rpki/roa_request/
>>
>> I hope that explanation helps!
>>
>> Randy
>>
>> On Tue, Sep 29, 2020 at 10:16 AM Alex Samad <alex at samad.com.au> wrote:
>>
>>> Hi
>>>
>>> I'll answer the last.
>>>
>>> So if I am the origin and I use multiple transit providers. Don't I
>>> have to sign mine. So I get i have to go to myapnic and setup a ROA. but
>>> don't i have to sign my prefix (sorry, i'm new to this), before send this
>>> up stream. Isn't the verification done by checking the signatures of all of
>>> the AS.
>>>
>>>
>>> ROS 7 - yes buggy a ... been waiting for multhread bgp for ...... I
>>> like the platform, but i have given up on them..
>>>
>>> Thanks for all of the replies
>>>
>>>
>>> On Tue, 29 Sep 2020 at 19:28, Aftab Siddiqui <aftab.siddiqui at gmail.com>
>>> wrote:
>>>
>>>> Hi Alex,
>>>> If you are not doing ROV (Route Origin Validation) then you don't have
>>>> to do anything on your end. Great to hear that Exetel is planning to do
>>>> validation but that means you have to create ROAs (Route Origin
>>>> Authorization) on myapnic portal, if you don't have them already.
>>>>
>>>> Regards,
>>>>
>>>> Aftab A. Siddiqui
>>>>
>>>>
>>>> On Tue, 29 Sep 2020 at 18:46, Alex Samad <alex at samad.com.au> wrote:
>>>>
>>>>> Hi
>>>>>
>>>>> Wondering how prevalent is RPKI in transit providers in Oz. Just got
>>>>> an email from exetel to say they are starting a rollout of it.
>>>>>
>>>>> Seems like my ROS routers don't have it, seems like they have been
>>>>> talking about back in 2014, still waiting on that feature to be added.
>>>>>
>>>>> Curious if all of my transit providers are going to come knocking and
>>>>> asking for me to turn this on ?
>>>>>
>>>>> Plus some quick googling seems to suggest its currently flawed..
>>>>>
>>>>> Thanks
>>>>> Alex
>>>>> _______________________________________________
>>>>> AusNOG mailing list
>>>>> AusNOG at lists.ausnog.net
>>>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>>>
>>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20200929/a2580025/attachment.html>
More information about the AusNOG
mailing list