RE: A few questions regarding about RPKI/invalids
Want to give credit to 3356, after I contacted them they eliminated all of the bad routes coming in via legacy Global Crossing. -Drew -Original Message- From: Job Snijders Sent: Wednesday, March 30, 2022 10:33 AM To: Drew Weaver Cc: 'nanog@nanog.org' Subject: Re: A few questions regarding about RPKI/invalids On Wed, Mar 30, 2022 at 01:29:25PM +, Drew Weaver wrote: > Ex 45.176.191.0/24 3356 3549 11172 270150 > > RPKI ROA entry for 45.176.191.0/24-24 > Origin-AS: 265621 > > Two questions: > > First, are you also seeing this on this specific route? It is visible in a few places, but the 61% score in for example RIPE stat is very low, which is a strong hint some kind of issue exists: https://urldefense.proofpoint.com/v2/url?u=https-3A__stat.ripe.net_ui2013_45.176.191.0-252F24-23tabId-3Drouting=DwICAg=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw=lYqCT_cLHEX_5kNdAyPNFZ0xb8PC2MWeYQvGDwUnkAg=a_zBm6uyGLeXstr_JYZejbgBz1sOSpo4IxwKZ5YOoT0= > Second, is there a certain number of "expected" invalid routes? (not > including unknowns) Through large transit providers that do RPKI ROV with 'invalid == reject' you'll generally see less than a 100 invalids at any given time (1299, 174, 3257, 3303, 6830, etc). Then there are large transit providers who (as far as the public record is concerned) have not yet deployed RPKI ROV on their EBGP edges. Via AS 6762 I see ~ 2,300 invalids, and via AS 6461 about 3,000 invalids. For historical perspective: this 3,000 upperbound number used to be ~ 6,000 back in the 'pre RPKI era' in 2018/2019. > Third, how are you handling specifically the large number of routes > from 3356 3549 which invalid origin AS? Are you just "letting the > bodies hit the floor"? or are you carving those out somehow? I'd reject them. Why carve out an exception merely because the number is 'large'? :-) Kind regards, Job
Re: A few questions regarding about RPKI/invalids
On Wed, Mar 30, 2022 at 10:35 AM Job Snijders via NANOG wrote: > > I'd reject them. Why carve out an exception merely because the > number is 'large'? :-) > > To add to this, many routes does not equal lots of traffic or even important traffic. If it continues to be invalid, someone didn't bother to make sure it works everywhere. Keep dropping them. -- Nimrod
Re: A few questions regarding about RPKI/invalids
On Wed, Mar 30, 2022 at 01:29:25PM +, Drew Weaver wrote: > Ex 45.176.191.0/24 3356 3549 11172 270150 > > RPKI ROA entry for 45.176.191.0/24-24 > Origin-AS: 265621 > > Two questions: > > First, are you also seeing this on this specific route? It is visible in a few places, but the 61% score in for example RIPE stat is very low, which is a strong hint some kind of issue exists: https://stat.ripe.net/ui2013/45.176.191.0%2F24#tabId=routing > Second, is there a certain number of "expected" invalid routes? (not > including unknowns) Through large transit providers that do RPKI ROV with 'invalid == reject' you'll generally see less than a 100 invalids at any given time (1299, 174, 3257, 3303, 6830, etc). Then there are large transit providers who (as far as the public record is concerned) have not yet deployed RPKI ROV on their EBGP edges. Via AS 6762 I see ~ 2,300 invalids, and via AS 6461 about 3,000 invalids. For historical perspective: this 3,000 upperbound number used to be ~ 6,000 back in the 'pre RPKI era' in 2018/2019. > Third, how are you handling specifically the large number of routes > from 3356 3549 which invalid origin AS? Are you just "letting the > bodies hit the floor"? or are you carving those out somehow? I'd reject them. Why carve out an exception merely because the number is 'large'? :-) Kind regards, Job
Re: A few questions regarding about RPKI/invalids
On Wed, 30 Mar 2022, Drew Weaver wrote: We’ve noticed that there are a number of routes being passed along from 3356 with invalid origin AS. Of those, almost all of them are being passed to 3356 from 3549 (legacy Global Crossing) and there is no valid path available for any of these prefixes (at least according to the ROA). Ex 45.176.191.0/24 3356 3549 11172 270150 RPKI ROA entry for 45.176.191.0/24-24 Origin-AS: 265621 I'm seeing that route, same origin. Those who do RPKI ROV do not see that route. Hurricane Electric, for example, via their looking glass has no route for that IP space. You would think the pain inflicted by parts of the Internet ignoring your routes would get RPKI oops's like this fixed relatively quickly. It may depend on how much of the Internet they regularly exchange bits with and how many of those networks actually do ROV. -- Jon Lewis, MCP :) | I route StackPath, Sr. Neteng | therefore you are _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: A few questions regarding about RPKI/invalids
Seeing this prefix with exactly same path coming from Zayo. My path is 6461 3356 3549 11172 270150 I Kind regards, Andrey Drew Weaver писал(а) 2022-03-30 09:29: Hello, We've noticed that there are a number of routes being passed along from 3356 with invalid origin AS. Of those, almost all of them are being passed to 3356 from 3549 (legacy Global Crossing) and there is no valid path available for any of these prefixes (at least according to the ROA). Ex 45.176.191.0/24 3356 3549 11172 270150 RPKI ROA entry for 45.176.191.0/24-24 Origin-AS: 265621 Two questions: First, are you also seeing this on this specific route? Second, is there a certain number of "expected" invalid routes? (not including unknowns) Third, how are you handling specifically the large number of routes from 3356 3549 which invalid origin AS? Are you just "letting the bodies hit the floor"? or are you carving those out somehow? I'm mostly just curious what other members of the community are seeing/doing in regards to this. Thanks, -Drew
