nanog mailing list archives
Re: deploying RPKI based Origin Validation
From: Mark Tinka <mark.tinka () seacom mu>
Date: Sat, 14 Jul 2018 11:03:16 +0200
On 14/Jul/18 09:11, Baldur Norddahl wrote:
In the RIPE part of the world there is no excuse for not getting RPKI correct because RIPE made it so easy. Perhaps the industry could agree on enabling RPKI validation on all european circuits for a start?
I think the first step (and what I'd consider to be a quick win) is if we determined all the prefixes that are being designated Invalid, and nail down how many of those are Invalid due to the fact that they are more-specifics announced without a ROA, vs. the parent aggregate which is ROA'd. We would then ask the operators of those prefixes to either withdraw them (easier, but unlikely) or sign them in the RPKI and create ROA's for them (more work, but more likely). Going for the latter. Once that is fixed, and even though the entire BGP world is not running RPKI, those that are and are dropping Invalids would be 100% certain that those Invalids are either leaks or hijacks. I think that will get us 50% of the way there, with the other 50% would now just be growing community participation in RPKI. Thankfully, I believe all (or most) of the RIR's support a simple "click of a button" to say "All prefixes up to a /24 or a /48 of the aggregate should automatically be ROA'd if the aggregate, itself, is ROA'd". So it shouldn't be a lot of work to get what is currently broken fixed. And the beauty, we don't need everyone to participate in the RPKI today for those that want the benefit right now to enjoy it so. Mark.
Current thread:
- Re: deploying RPKI based Origin Validation, (continued)
- Re: deploying RPKI based Origin Validation Job Snijders (Jul 13)
- Re: deploying RPKI based Origin Validation Mark Tinka (Jul 13)
- Re: deploying RPKI based Origin Validation Grant Taylor via NANOG (Jul 13)
- Re: deploying RPKI based Origin Validation Christopher Morrow (Jul 13)
- Re: deploying RPKI based Origin Validation Job Snijders (Jul 13)
- Re: deploying RPKI based Origin Validation Mark Tinka (Jul 13)
- Re: deploying RPKI based Origin Validation Grant Taylor via NANOG (Jul 13)
- Re: deploying RPKI based Origin Validation Christopher Morrow (Jul 13)
- Re: deploying RPKI based Origin Validation Mark Tinka (Jul 13)
- Re: deploying RPKI based Origin Validation Baldur Norddahl (Jul 14)
- Re: deploying RPKI based Origin Validation Mark Tinka (Jul 14)
- Re: deploying RPKI based Origin Validation Job Snijders (Jul 16)
- Re: deploying RPKI based Origin Validation Mark Tinka (Jul 17)
- Re: deploying RPKI based Origin Validation Job Snijders (Jul 17)
- Re: deploying RPKI based Origin Validation George Michaelson (Jul 17)
- Re: deploying RPKI based Origin Validation Mark Tinka (Jul 18)
- Re: deploying RPKI based Origin Validation Job Snijders (Jul 13)
- RE: deploying RPKI based Origin Validation Michel Py (Jul 17)
- Re: deploying RPKI based Origin Validation Mark Tinka (Jul 18)
- RE: deploying RPKI based Origin Validation Michel Py (Jul 18)
- Re: deploying RPKI based Origin Validation Job Snijders (Jul 18)
- RE: deploying RPKI based Origin Validation Michel Py (Jul 18)