[RPKI-Discuss] [routing-wg] RPKI Route Origin Validation on RIPE NCC Network

Patrick Okui pokui at psg.com
Thu Jun 3 18:01:49 UTC 2021


I was hoping someone else would respond before me:

In general I feel that organisations that publish RPKI data should also reject invalids, or we end up possibly passing on hijacked announcements which we set out to stop in the first place.

However, AFRINIC is one of the atypical organisations that may not do that at least not for all their network for the very same reasons spelt out in the first part of that article.

In short the training (and likely other) teams would likely appreciate stats on how many invalids look like typos rather than hijacks.

Therefore, what could be useful is an approach where:

1. AFRINIC border routers tag invalids so a route collector doing stats generation has access to the invalid routes for analysis. It will be very important for this collector to have a public facing looking glass or some sort of output that can be seen due to point 2.

2. The routers that act as the “gateways” for the AFRINIC servers, corporate network(s), i.e parts not participating in analysis (1) above would then drop the invalids.

3. Reachability issues to AFRINIC members (or anyone worldwide really) due to 2 would need to be checked against possible errors based on data available in (1) and possibly trigger direct outreach/training/.. efforts.

my 2 cents.

On 14 Apr 2021, at 9:50 EAT, Amreesh Phokeer wrote:


> Hi all,

>

> Just to spark some discussions here. What do you think about AFRINIC

> dropping invalids?

>

> Cheers,

> Amreesh

>

>

>

> ---------- Forwarded message ---------

> From: Nathalie Trenaman <nathalie at ripe.net>

> Date: Tue, Apr 13, 2021 at 5:28 PM

> Subject: [routing-wg] RPKI Route Origin Validation on RIPE NCC Network

> To: <routing-wg at ripe.net>

>

>

> Dear colleagues,

>

> (My colleagues are drafting a reply on the rsync issue)

>

> Following up on my previous email and the discussion we had in this mailing

> last about enabling Route Origin Validation (ROV) invalid == reject on the

> RIPE NCC’s network, AS3333, I am happy to inform you that we will be going

> ahead on Monday, 19 April.

>

> I have written a RIPE Labs article with more information, which you can

> find at:

> https://labs.ripe.net/author/nathalie_nathalie/rpki-and-as3333-or-how-we-eat-our-own-dogfood/

>

> Thank you very much for your contributions, discussion and support.

>

> Kind Regards,

>

> Nathalie Trenaman

> Routing Security Programme Manager

> RIPE NCC

>

>

>

>

> --

> Amreesh Phokeer



> _______________________________________________

> RPKI-Discuss mailing list

> RPKI-Discuss at afrinic.net

> https://lists.afrinic.net/mailman/listinfo/rpki-discuss



--
patrick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpki-discuss/attachments/20210603/2813fa2f/attachment.html>


More information about the RPKI-Discuss mailing list