Re: What are best practices for RPKI ROV in transit networks....

[Ben Maddison via NANOG <nanog () nanog org>]

Hi Steve,

On 10/28, ssw () iu edu wrote:
> Greetings,
>
> We seek input on best practices for implementing RPKI ROV in a transit
> (partial transit) network. The Internet2 network provides partial
> transit for many of the K-12 and higher education institutions in the
> US. Our customer routes number just over 6,000. We work with our
> customers to assist with the adoption of MANRS, including creating
> RPKI ROAs for their resources.
>
>  At some point in the future, we'd like to implement RPKI route origin
>  validation (e.g., dropping invalids). Given that some routes may have
>  mistaken ROAs that resolve to an invalid state, is there a
>  standard/best practice for processing exceptions?

Yes, SLURM, defined in RFC8416, provides a means of expressing local
policy exceptions. All the RP implementations in common use (that I am
aware of) support it.

However...

>  Or, do transit providers that implement ROAs drop all routes that are
>  invalid?

We have had discard-invalid policy in production on every eBGP adjacency
since April 2019.

In that time, we have had *zero* incidents that could not be resolved
without the creation of local exceptions. My understanding from
colleagues at other operators is that their experience has been similar.

As always, your experience may be different, so it is wise to be
prepared.

Cheers,

Ben

Attachment: signature.asc
Description: