RPKI Invalid == Reject policies on the AS 3333 EBGP border
Dear RIPE Routing WG and RIPE NCC, after having gone through all responses on the mailing list there seems to be unanimous support for RIPE NCC to proceed with the deployment of "RPKI Invalid == Reject" policies on the AS 3333 EBGP border. Kind regards, Job Snijders & Paul Hoogsteder
I am wondering if RIPE will still keep the BGP sessions to peers that feed the data for RIPEstat unfiltered (no dropping of invalids). It is nice to have a view of what invalids ASNs are advertising in that tool. I'm assuming that if they are filtered out, we would lose that visibility. -Rich On 3/26/21, 10:08 AM, "routing-wg on behalf of Paul Hoogsteder" <routing-wg-bounces@ripe.net on behalf of paul@meanie.nl> wrote: CAUTION: The e-mail below is from an external source. Please exercise caution before opening attachments, clicking links, or following guidance. Dear RIPE Routing WG and RIPE NCC, after having gone through all responses on the mailing list there seems to be unanimous support for RIPE NCC to proceed with the deployment of "RPKI Invalid == Reject" policies on the AS 3333 EBGP border. Kind regards, Job Snijders & Paul Hoogsteder E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.
Hello Rich, AS3333 is RIPE NCC's ASN, RIS (the route collector) has AS12654. So this should have no significant impact on RIPE Stat. Kind regards, Paul.
I am wondering if RIPE will still keep the BGP sessions to peers that feed the data for RIPEstat unfiltered (no dropping of invalids). It is nice to have a view of what invalids ASNs are advertising in that tool. I'm assuming that if they are filtered out, we would lose that visibility.
-Rich
On 3/26/21, 10:08 AM, "routing-wg on behalf of Paul Hoogsteder" <routing-wg-bounces@ripe.net on behalf of paul@meanie.nl> wrote:
CAUTION: The e-mail below is from an external source. Please exercise caution before opening attachments, clicking links, or following guidance.
Dear RIPE Routing WG and RIPE NCC,
after having gone through all responses on the mailing list there seems to be unanimous support for RIPE NCC to proceed with the deployment of "RPKI Invalid == Reject" policies on the AS 3333 EBGP border.
Kind regards,
Job Snijders & Paul Hoogsteder
E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.
Dear chairs, all,
Op 26 mrt. 2021, om 16:46 heeft Paul Hoogsteder <paul@meanie.nl> het volgende geschreven:
Dear RIPE Routing WG and RIPE NCC,
after having gone through all responses on the mailing list there seems to be unanimous support for RIPE NCC to proceed with the deployment of "RPKI Invalid == Reject" policies on the AS 3333 EBGP border.
Kind regards,
Job Snijders & Paul Hoogsteder
Many thanks for all your input, we will proceed accordingly. Expect a message from us soon! Kind regards, Nathalie Trenaman RIPE NCC
Would "invalid" also include unsigned space? If it does, that might lead to legacy space or networks getting space through certain NIRs to be accidentally being blocked by whomever relying on this, unless these blocks can be exempt from inclusion? On 2021-03-26 16:46, Paul Hoogsteder wrote:
Dear RIPE Routing WG and RIPE NCC,
after having gone through all responses on the mailing list there seems to be unanimous support for RIPE NCC to proceed with the deployment of "RPKI Invalid == Reject" policies on the AS 3333 EBGP border.
Kind regards,
Job Snijders & Paul Hoogsteder
Dear W. Boot, On Thu, Apr 01, 2021 at 12:38:27PM +0200, W. Boot wrote:
Would "invalid" also include unsigned space?
No. By definition, unsigned space can never ever be "RPKI invalid". In order for any BGP route to be marked as "RPKI invalid", a RPKI ROA _MUST_ exist. Without covering ROAs, BGP routes cannot be "RPKI invalid".
If it does, that might lead to legacy space or networks getting space through certain NIRs to be accidentally being blocked by whomever relying on this, unless these blocks can be exempt from inclusion?
Luckily it doesn't! :-) Operators who use RPKI to perform BGP Route Origin Validation, do so to to detect & reject invalid routes. As mentioned above, BGP routes can only be recognized as 'invalid' if and only if a covering ROA exists. Complete and simple configuration examples can be found here: http://bgpfilterguide.nlnog.net/guides/reject_invalids/ By exclusively focussing on "RPKI invalid" BGP routes, RPKI ROV is incrementally deployable. Incremental deployability is a key factor. Kind regards, Job
participants (5)
-
Compton, Rich A -
Job Snijders -
Nathalie Trenaman -
Paul Hoogsteder -
W. Boot