Re: [routing-wg] RPKI ROAs and Monitoring
Thanks for the inputs. I now went with packetvis. Does anybody know who is behind packetvis? The home page is pretty quiet. Basically it works, but I would have expected that packetivs also shows ROAs. It show all my prefixes, but it does not show which of them have ROAs and which not. I guess I will give BGPalerter also a try. regards Klaus
-----Ursprüngliche Nachricht----- Von: Massimo Candela <massimo@us.ntt.net> Gesendet: Montag, 12. Dezember 2022 12:38 An: Klaus Darilion <klaus.darilion@nic.at> Cc: routing-wg@ripe.net Betreff: Re: [routing-wg] RPKI ROAs and Monitoring
Hello Klaus,
An open-source monitoring application that does exactly what you are asking for is BGPalerter [1]. Alternatively, if you are not keen on running the app yourself, there is https://packetvis.com which is a BGPalerter as a service.
Ciao, Massimo
[1] https://github.com/nttgin/BGPalerter
On Dec 12, 2022 12:12, Klaus Darilion via routing-wg <routing- wg@ripe.net> wrote:
Hello all!
Until now we have not used RPKI. For us at nic.at and RcodeZero DNS we are not on the validating side of RPKI, but we would only create ROAs, using the RIPE service. I could just login to the RIPE portal and in 5 minutes it is done. But I am a bit concerned about activating the service and do not care anymore. Hence I think we should have some monitoring too.
We have a defined target state, eg. prefix 83.136.32.0/21 should be announced from AS30971. So I think our monitoring should check:
- is there a ROA for 83.136.32.0/21 from AS30971
- is the ROA valid, ie. not expired
- Will validating ISPs accept these prefixes? Will validating ISPs reject this prefix if the orign AS is wrong (maybe having a local Routinator or queriying a public service via API).
Do you think this makes sense? Is such monitoring already available and I only have to subcribe somewhere (free or comemrcial)? Do I miss something? Any hints what I should do before and after creating the ROAs?
Thanks
Klaus
PS: What happens if my ROAs expire. Will then my BGP announcements be ignored by validating ISPs or will it just be as if there are no ROAs at all?
No roa at all. However, if a less specific roa exists, or a roa for another AS, it could result in invalid. You would get notified by the monitoring if roas are expiring.
--
Klaus Darilion, Head of Operations
nic.at GmbH, Jakob-Haringer-Straße 8/V
5020 Salzburg, Austria
On 12/12/2022 15:34, Klaus Darilion via routing-wg wrote:
It show all my prefixes, but it does not show which of them have ROAs and which not. I guess I will give BGPalerter also a try.
Both BGPalerter and packetvis inform you of the prefixes without ROAs. In BGPalerter you have to set checkUncovered: true in monitorRPKI (see documentation [1]), in packetvis.com you have to enable rpki-unknown monitoring. These are disabled by default. When enabled, they will actively alert you. Instead, if you are looking for a webpage that summarizes your roa coverage, that could be a feature request for packetvis. However, the RIPE rpki portal (that you said you are using) already offers that. [1] https://github.com/nttgin/BGPalerter/blob/main/docs/configuration.md#monitor...
Hi Klaus,
On 12/12/2022 15:34, Klaus Darilion via routing-wg wrote:
It show all my prefixes, but it does not show which of them have ROAs and which not.
Both BGPalerter and packetvis inform you of the prefixes without ROAs. In BGPalerter you have to set checkUncovered: true in monitorRPKI (see documentation [1]), in packetvis.com you have to enable rpki-unknown monitoring. These are disabled by default. When enabled, they will actively alert you. Instead, if you are looking for a webpage that summarizes your roa coverage, that could be a feature request for packetvis.
This has been available for some weeks now. In the resources tab you will see a "key" icon telling you the RPKI status of the prefixes. If you click, you can see all the details about the covering ROAs. Ciao, Massimo
Does anybody know who is behind packetvis? The home page is pretty quiet.
massimo. his work is good enough he does not have to brag. :) randy
participants (3)
-
Klaus Darilion -
Massimo Candela -
Randy Bush