nanog mailing list archives

Re: NTT/AS2914 enabled RPKI OV 'invalid = reject' EBGP policies

From: Alex Band <alex () nlnetlabs nl>
Date: Thu, 26 Mar 2020 15:44:04 +0100

Many congratulations for getting this deployed, Job!

Now that so many networks are dropping RPKI invalid announcements, for this to really have a practical effect operators 
should put in the effort to create and maintain ROAs for their route announcements. 

Over the last 10 years, the trend in most regions has been that first a large amount of ROAs were created by the local 
operator communities. After proving this was a high quality and well maintained data set, operators took the next step 
to start using RPKI to filter invalids. 

Especially in North America, the order seems to be flipped. While invalids are now being dropped more and more, ROA 
coverage is currently only at 7% in the US and 2.5% in Canada. Accuracy is at around 95%, so that’s great.

https://www.nlnetlabs.nl/projects/rpki/rpki-analytics/

Please create ROAs!

-Alex

On 26 Mar 2020, at 01:50, Job Snijders <job () ntt net> wrote:

Dear group,

Exciting news! Today NTT's Global IP Network (AS 2914) enabled RPKI
based BGP Origin Validation on virtually all EBGP sessions, both
customer and peering edge. This change positively impacts the Internet
routing system.

The use of RPKI technology is a critical component in our efforts to
improve Internet routing stability and reduce the negative impact of
misconfigurations or malicious attacks. RPKI Invalid route announcements
are now rejected in NTT EBGP ingress policies. A nice side effect:
peerlock AS_PATH filters are incredibly effective when combined with
RPKI OV.

For NTT, this is the result of a multiyear project, which included
outreach, education, collaboration with industry partners, and
production of open source software shared among colleagues in the
industry.

Shout out to Louis & team (Cloudflare) for the open source GoRTR
software and the OpenBSD project for rpki-client(8).

I hope some take this news as encouragement to consider RPKI OV
"invalid == reject"-policies as safe to deploy in their own BGP
environments too. :-)

If you have questions, feel free to reach out to me directly or the
NTT NOC at <noc () ntt net>.

Kind regards,

Job

Current thread:

NTT/AS2914 enabled RPKI OV 'invalid = reject' EBGP policies Job Snijders (Mar 25)
- Re: NTT/AS2914 enabled RPKI OV 'invalid = reject' EBGP policies Michel Py (Mar 25)
  - Re: NTT/AS2914 enabled RPKI OV 'invalid = reject' EBGP policies JASON BOTHE via NANOG (Mar 25)
    - Re: NTT/AS2914 enabled RPKI OV 'invalid = reject' EBGP policies Tom Hill (Mar 26)
    - Re: NTT/AS2914 enabled RPKI OV 'invalid = reject' EBGP policies Brandon Butterworth (Mar 26)
    - Re: NTT/AS2914 enabled RPKI OV 'invalid = reject' EBGP policies Tom Hill (Mar 26)
    - Re: NTT/AS2914 enabled RPKI OV 'invalid = reject' EBGP policies Jared Mauch (Mar 26)
- Re: NTT/AS2914 enabled RPKI OV 'invalid = reject' EBGP policies L Sean Kennedy (Mar 26)
- Re: NTT/AS2914 enabled RPKI OV 'invalid = reject' EBGP policies Alex Band (Mar 26)
- Re: NTT/AS2914 enabled RPKI OV 'invalid = reject' EBGP policies Mark Tinka (Mar 31)
  - Re: NTT/AS2914 enabled RPKI OV 'invalid = reject' EBGP policies Ben Maddison via NANOG (Mar 31)
    - Re: NTT/AS2914 enabled RPKI OV 'invalid = reject' EBGP policies Mark Tinka (Mar 31)
  - Re: NTT/AS2914 enabled RPKI OV 'invalid = reject' EBGP policies Dorian Kim (Mar 31)
    - Re: NTT/AS2914 enabled RPKI OV 'invalid = reject' EBGP policies Mark Tinka (Mar 31)
    - Re: NTT/AS2914 enabled RPKI OV 'invalid = reject' EBGP policies Mark Tinka (Mar 31)