Re: NTT/AS2914 enabled RPKI OV 'invalid = reject' EBGP policies

[L Sean Kennedy <liam () fedney org>]

Job,

Congratulations to NTT, AT&T, and others in our community who have deployed
validation on their network edge.  What is really exciting is all the
activity in this and other operator regions that has come together to
promote securing the routing system by combining multiple strategies.  This
shift to leadership by example is a big shift from just using the mailing
list for public shaming anti-social behavior.  (Public shaming should still
be used strategically :-).

While this is an important step, the big win that I see is the larger
project promoting securing the routing system by combining multiple
strategies.  There is significant power in combining multiple strategies
and engaging other organizations to develop their own multi-pronged
approach.  That evangelizing and investing in "leadership by example" has
really accelerated this project in ways that individual engineers struggled
to do so before and as a community where we remained stuck in the past.  By
raising the industry standard for routing security, implementation of these
measures is no longer optional, and that has been done without government
interference.  NTT has invested in bringing this whole package to the NANOG
region -- developing tools, working with other networks and even
competitors, and evangelization of routing security.

I am speaking on my own behalf, but as NANOG has started using social media
and other online tools to promote the knowledge of the community, I will
talk to the PC and staff about curating routing security materials for an
educational playlist.  If there is any chance you could resend a link to
some of your materials, I think that would be beneficial (IRR tools, rpki
validation and planning tools, peerlock implementation)?  I also encourage
any operator with a few spare minutes to poke around manrs.org/isps .

Thanks,
 Sean

Em qui., 26 de mar. de 2020 às 08:32, Job Snijders <job () ntt net> escreveu:

> Dear group,
>
> Exciting news! Today NTT's Global IP Network (AS 2914) enabled RPKI
> based BGP Origin Validation on virtually all EBGP sessions, both
> customer and peering edge. This change positively impacts the Internet
> routing system.
>
> The use of RPKI technology is a critical component in our efforts to
> improve Internet routing stability and reduce the negative impact of
> misconfigurations or malicious attacks. RPKI Invalid route announcements
> are now rejected in NTT EBGP ingress policies. A nice side effect:
> peerlock AS_PATH filters are incredibly effective when combined with
> RPKI OV.
>
> For NTT, this is the result of a multiyear project, which included
> outreach, education, collaboration with industry partners, and
> production of open source software shared among colleagues in the
> industry.
>
> Shout out to Louis & team (Cloudflare) for the open source GoRTR
> software and the OpenBSD project for rpki-client(8).
>
> I hope some take this news as encouragement to consider RPKI OV
> "invalid == reject"-policies as safe to deploy in their own BGP
> environments too. :-)
>
> If you have questions, feel free to reach out to me directly or the
> NTT NOC at <noc () ntt net>.
>
> Kind regards,
>
> Job