nanog mailing list archives
Re: deploying RPKI based Origin Validation
From: Joshua Vijsma / True <Joshua.Vijsma () true nl>
Date: Thu, 19 Jul 2018 20:47:56 +0000
Hi all, Just wanted to share our (AS15703, True B.V.) experience as a hosting provider with enabling RPKI invalid filtering (invalid == reject). We've secured (most of) our routes since 2014 with ROAs but last Tuesday we have deployed filters which reject RPKI invalid routes. We have had two tickets regarding users in one certain RPKI invalid prefix not being able to reach our network, but those people quickly understood that this wasn't our problem but a problem with their hosting partner. They took it up with their hosting partner and it was fixed within a day. Overal, I would certainly recommend filtering RPKI invalids (and create ROAs for your prefixes!!) to prevent hijacks. -- Met vriendelijke groet / Best regards, Joshua Vijsma
On 13 Jul 2018, at 14:00, nanog-request () nanog org wrote: ------------------------------ Message: 2 Date: Thu, 12 Jul 2018 17:50:29 +0000 From: Job Snijders <job () ntt net> To: nanog () nanog org Subject: deploying RPKI based Origin Validation Message-ID: <20180712175029.GC3037 () vurt meerval net> Content-Type: text/plain; charset=us-ascii Hi all, I wanted to share with you that a ton of activity is taking place in the Dutch networker community to deploy RPKI based BGP Origin Validation. The mantra is "invalid == reject" on all EBGP sessions. What's of note here is that we're now seeing the first commercial ISPs doing Origin Validation. This is a significant step forward compared to what we observed so far (it seemed OV was mostly limited to academic institutions & toy networks). But six months ago Amsio (https://www.amsio.com/en/) made the jump, and today Fusix deployed (https://fusix.nl/deploying-rpki/). We've also seen an uptake of Origin Validation at Internet Exchange route servers: AMS-IX and FranceIX have already deployed. I've read that RPKI OV is under consideration at a number of other exchanges. Other cool news is that Cloudflare launched a Certificate Transparency initiative to help keep everyone honest. Announcement at: https://twitter.com/grittygrease/status/1017224762542587907 Certificate Transparency is a fascinating tool, really a necessity to build confidence in any PKI systems. Anyone here working to deploy RPKI based Origin Validation in their network and reject invalid announcements? Anything of note to share? Kind regards, Job
Current thread:
- Re: deploying RPKI based Origin Validation, (continued)
- Message not available
- Re: deploying RPKI based Origin Validation Job Snijders (Jul 27)
- Re: deploying RPKI based Origin Validation Alex Band (Jul 27)
- Re: deploying RPKI based Origin Validation Mark Tinka (Jul 13)
- Re: deploying RPKI based Origin Validation Mark Tinka (Jul 13)
- Re: deploying RPKI based Origin Validation Mark Tinka (Jul 13)
- Re: deploying RPKI based Origin Validation Job Snijders (Jul 14)
- Re: deploying RPKI based Origin Validation Saku Ytti (Jul 14)
- Re: deploying RPKI based Origin Validation Mark Tinka (Jul 14)
- Re: deploying RPKI based Origin Validation Mark Tinka (Jul 19)