[ITNOG] Fwd: [routing-wg] RPKI Route Origin Validation and AS3333

Antonio Prado antonio@prado.it
Gio 18 Mar 2021 16:09:37 CET 



-------- Forwarded Message --------
Subject: 	[routing-wg] RPKI Route Origin Validation and AS3333
Date: 	Thu, 18 Mar 2021 16:03:16 +0100
From: 	Nathalie Trenaman <nathalie@ripe.net>
To: 	routing-wg@ripe.net



Dear Colleagues, Working Group,

As discussed previously in this mailing list, some community members 
expressed that they would like to see the RIPE NCC perform Route Origin 
Validation on AS3333. We decided to ask the community for advice and 
guidance on how we should proceed.

What is Route Origin Validation?
Route Origin Validation is a mechanism by which route advertisements can 
be authenticated as originating from an expected autonomous system (AS).
The best current practice is to drop RPKI invalid BGP announcements. 
These are announcements that conflict with the statement as described in 
a Route Origin Authorization (ROA).

What is AS3333?
This is the AS Number for the RIPE NCC’s main service network. It 
includes most of our *.ripe.net <http://ripe.net/>websites, including 
the LIR Portal (my.ripe.net <http://my.ripe.net/>) and the RIPE Database.

What is the Problem?
Currently, some of our upstream providers already perform ROV. This 
means that some of our members that potentially misconfigured their ROA 
or members who have lost control of creation and modification of their 
ROAs cannot reach our services via those peers.

On the other hand, some of our upstream providers do not perform ROV, 
and if a member’s prefix is being announced by a hijacker, they cannot 
access our services. We already received a report about this.This is 
also not an ideal situation.

  From the network operations perspective, there are no obstacles to 
enable  ROV on AS3333, however, we have to consider that members or End 
Users who announce something different in BGP than their ROA claims, 
will be dropped and lose access to our services from their network. This 
includes the RPKI Dashboard where they can make changes to their ROAs. 
This is specially relevant when members operate certificate generation 
in hosted mode which is the current operation mode for almost all for 
our members.

  From an analysis we made on 10 February, there were 511 of such 
announcements from our members and End Users.

Our current RPKI Terms and Conditions do not mention that a Member or 
End User ROA should match their routing intentions, or any implications 
it may have if the ROA does not match their BGP announcement. If the 
community decides it is important that AS3333 performs ROV, our legal 
team needs to update the RPKI Terms and Conditions to reflect the 
potential impact.

I welcome a respectful discussion and look forward to your advice and 
guidance.

Kind regards,

Nathalie Trenaman
Routing Security Programme Manager
RIPE NCC

Maggiori informazioni sulla lista itnog