On 2020-03-26 02:09, Job Snijders wrote:
Exciting news! Today NTT's Global IP Network (AS 2914) enabled RPKI based BGP Origin Validation on virtually all EBGP sessions, both customer and peering edge. This change positively impacts the Internet routing system.
Hello Job, It is the word "virtually" that triggers me :), because in my mind it translates to "not all of them". Why haven't you enabled it on all our EBGP sessions? And doesn't this make enabling it on the rest of the validation less useful? Because if an invalid announcements is received on an EBGP session without RPKI validation, doesn't it propagate trough the rest of the network via iBGP, and thus make the hijack reachable for all of NTT? I'm sure you guys thought about this, but I'm just wondering what you did to prevent the scenario I just described :). Thanks for making the world a safer place! Kind regards, Tijn Buijs