RPKI ROAs and Monitoring
Hello all! Until now we have not used RPKI. For us at nic.at and RcodeZero DNS we are not on the validating side of RPKI, but we would only create ROAs, using the RIPE service. I could just login to the RIPE portal and in 5 minutes it is done. But I am a bit concerned about activating the service and do not care anymore. Hence I think we should have some monitoring too. We have a defined target state, eg. prefix 83.136.32.0/21 should be announced from AS30971. So I think our monitoring should check: - is there a ROA for 83.136.32.0/21 from AS30971 - is the ROA valid, ie. not expired - Will validating ISPs accept these prefixes? Will validating ISPs reject this prefix if the orign AS is wrong (maybe having a local Routinator or queriying a public service via API). Do you think this makes sense? Is such monitoring already available and I only have to subcribe somewhere (free or comemrcial)? Do I miss something? Any hints what I should do before and after creating the ROAs? Thanks Klaus PS: What happens if my ROAs expire. Will then my BGP announcements be ignored by validating ISPs or will it just be as if there are no ROAs at all? -- Klaus Darilion, Head of Operations nic.at GmbH, Jakob-Haringer-Straße 8/V 5020 Salzburg, Austria
Hi Klaus! On Mon, Dec 12, 2022 at 12:12:03PM +0100, Klaus Darilion via routing-wg wrote:
Until now we have not used RPKI. For us at nic.at and RcodeZero DNS we are not on the validating side of RPKI, but we would only create ROAs, using the RIPE service. I could just login to the RIPE portal and in 5 minutes it is done. But I am a bit concerned about activating the service and do not care anymore. Hence I think we should have some monitoring too.
Monitoring your ROAs is a really good idea! I recommend taking a look at this presentation https://www.youtube.com/watch?v=cJUkOu9nWT8
We have a defined target state, eg. prefix 83.136.32.0/21 should be announced from AS30971. So I think our monitoring should check:
- is there a ROA for 83.136.32.0/21 from AS30971 - is the ROA valid, ie. not expired - Will validating ISPs accept these prefixes? Will validating ISPs reject this prefix if the orign AS is wrong (maybe having a local Routinator or queriying a public service via API).
Indeed, validating ISPs will reject the BGP announcement if the Origin AS is incorrectly configured in the ROA. Make sure to not make any typos when creating ROAs! :-) Here is a blog post that details what the impact is of misconfigured ROAs (and conversely - what the positive impact is of correctly configured ROAs!) https://www.kentik.com/blog/how-much-does-rpki-rov-reduce-the-propagation-of...
Do you think this makes sense? Is such monitoring already available and I only have to subcribe somewhere (free or comemrcial)? Do I miss something? Any hints what I should do before and after creating the ROAs?
One dataset to check for RPKI objects related to your prefixes is https://console.rpki-client.org/dump.json.gz (for all details) or https://console.rpki-client.org/vrps.json (for condensed version)
PS: What happens if my ROAs expire. Will then my BGP announcements be ignored by validating ISPs or will it just be as if there are no ROAs at all?
Indeed, then it will be like there are no ROAs at all. Kind regards, Job
Hello Klaus, An open-source application that does exactly the monitoring you are describing is BGPalerter [1]. Alternatively, if you are not keen on running the app by yourself, you can use https://packetvis.com a BGPalerter as a service. On 12/12/2022 12:12, Klaus Darilion via routing-wg wrote:
PS: What happens if my ROAs expire. Will then my BGP announcements be ignored by validating ISPs or will it just be as if there are no ROAs at all?
No roas at all. However, if a roa with a conflicting maxlength or origin AS exists and not expired, your announcement can become invalid. The monitoring will let you know of expiring roas (and of invalid announcements). Ciao, Massimo [1] https://github.com/nttgin/BGPalerter
An open-source application that does exactly the monitoring you are describing is BGPalerter [1]. Alternatively, if you are not keen on running the app by yourself, you can use https://packetvis.com a BGPalerter as a service.
i very strongly recommend these randy
Hi Klaus, all,
On 12 Dec 2022, at 12:12, Klaus Darilion via routing-wg <routing-wg@ripe.net> wrote: ... Is such monitoring already available and I only have to subcribe somewhere (free or comemrcial)? Do I miss something? Any hints what I should do before and after creating the ROAs?
BGP alerter and packetvis are great! But, in addition, you mentioned you are using the RIPE NCC LIR Portal service for this. This service includes BGP previews and email alerts of ROAs vs BGP based on BGP announcement dumps from the RIS route collectors. These dumps can be old, they may not include your route origin invalids if they are dropped before making it to any collector, and they may include announcements done by others (mostly typos). You should double check any suggestions based on this, but still.. it's another useful tool to use in addition.
PS: What happens if my ROAs expire.
In the RIPE NCC portal service you *configure* ROAs, but the actual ROA objects are created and renewed automatically. So, they will not expire. They are removed and revoked when you remove the configuration. You would do well to check for 'stale' configurations (for announcements that are no longer supposed to be done) that you may wish to remove. Tim
-- Klaus Darilion, Head of Operations nic.at GmbH, Jakob-Haringer-Straße 8/V 5020 Salzburg, Austria
--
To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/routing-wg
participants (5)
-
Job Snijders -
Klaus Darilion -
Massimo Candela -
Randy Bush -
Tim Bruijnzeels