Hi Klaus! On Mon, Dec 12, 2022 at 12:12:03PM +0100, Klaus Darilion via routing-wg wrote:
Until now we have not used RPKI. For us at nic.at and RcodeZero DNS we are not on the validating side of RPKI, but we would only create ROAs, using the RIPE service. I could just login to the RIPE portal and in 5 minutes it is done. But I am a bit concerned about activating the service and do not care anymore. Hence I think we should have some monitoring too.
Monitoring your ROAs is a really good idea! I recommend taking a look at this presentation https://www.youtube.com/watch?v=cJUkOu9nWT8
We have a defined target state, eg. prefix 83.136.32.0/21 should be announced from AS30971. So I think our monitoring should check:
- is there a ROA for 83.136.32.0/21 from AS30971 - is the ROA valid, ie. not expired - Will validating ISPs accept these prefixes? Will validating ISPs reject this prefix if the orign AS is wrong (maybe having a local Routinator or queriying a public service via API).
Indeed, validating ISPs will reject the BGP announcement if the Origin AS is incorrectly configured in the ROA. Make sure to not make any typos when creating ROAs! :-) Here is a blog post that details what the impact is of misconfigured ROAs (and conversely - what the positive impact is of correctly configured ROAs!) https://www.kentik.com/blog/how-much-does-rpki-rov-reduce-the-propagation-of...
Do you think this makes sense? Is such monitoring already available and I only have to subcribe somewhere (free or comemrcial)? Do I miss something? Any hints what I should do before and after creating the ROAs?
One dataset to check for RPKI objects related to your prefixes is https://console.rpki-client.org/dump.json.gz (for all details) or https://console.rpki-client.org/vrps.json (for condensed version)
PS: What happens if my ROAs expire. Will then my BGP announcements be ignored by validating ISPs or will it just be as if there are no ROAs at all?
Indeed, then it will be like there are no ROAs at all. Kind regards, Job