Re: [routing-wg] RPKI ROAs and Monitoring

12 Dec 2022

      Thanks for the inputs.

I now went with packetvis. Does anybody know who is behind packetvis? The home page is pretty quiet. Basically it works, but I would have expected that packetivs also shows ROAs. It show all my prefixes, but it does not show which of them have ROAs and which not. I guess I will give BGPalerter also a try.

regards
Klaus
...
-----Ursprüngliche Nachricht-----
Von: Massimo Candela <massimo@us.ntt.net>
Gesendet: Montag, 12. Dezember 2022 12:38
An: Klaus Darilion <klaus.darilion@nic.at>
Cc: routing-wg@ripe.net
Betreff: Re: [routing-wg] RPKI ROAs and Monitoring
Hello Klaus,
An open-source monitoring application that does exactly what you are
asking for is BGPalerter [1]. Alternatively, if you are not keen on
running the app yourself, there is https://packetvis.com which is a
BGPalerter as a service.
Ciao,
Massimo
[1] https://github.com/nttgin/BGPalerter
On Dec 12, 2022 12:12, Klaus Darilion via routing-wg <routing-
wg@ripe.net> wrote:
Hello all!
Until now we have not used RPKI. For us at nic.at and RcodeZero DNS
we are not on the validating side of RPKI, but we would only create
ROAs, using the RIPE service. I could just login to the RIPE portal and
in 5 minutes it is done. But I am a bit concerned about activating the
service and do not care anymore. Hence I think we should have some
monitoring too.
We have a defined target state, eg. prefix 83.136.32.0/21 should be
announced from AS30971. So I think our monitoring should check:
-          is there a ROA for 83.136.32.0/21 from AS30971
-          is the ROA valid, ie. not expired
-          Will validating ISPs accept these prefixes? Will
validating ISPs reject this prefix if the orign AS is wrong (maybe
having a local Routinator or queriying a public service via API).
Do you think this makes sense? Is such monitoring already available
and I only have to subcribe somewhere (free or comemrcial)? Do I miss
something? Any hints what I should do before and after creating the
ROAs?
Thanks
Klaus
PS: What happens if my ROAs expire. Will then my BGP announcements
be ignored by validating ISPs or will it just be as if there are no ROAs
at all?
No roa at all. However, if a less specific roa exists, or a roa for
another AS, it could result in invalid. You would get notified by the
monitoring if roas are expiring.
--
Klaus Darilion, Head of Operations
nic.at GmbH, Jakob-Haringer-Straße 8/V
5020 Salzburg, Austria