And to add to this - you'll find it implemented across all IX Australia exchanges now so if you peer (and you should :-) ) we will be in touch if there are any routes being dropped. RPKI is in everyone's interest.
all the best Narelle On Thu, 1 Oct 2020 at 20:03, Andy Davidson <[email protected]> wrote: > Hi, Alex > > Alex Samad wrote: > > Wondering how prevalent is RPKI in transit providers in Oz. Just got an > email from exetel to say they are starting a rollout of it. > > Seems like my ROS routers don't have it, seems like they have been > talking about back in 2014, still waiting on that feature to be added. > > Curious if all of my transit providers are going to come knocking and > asking for me to turn this on ? > > It depends what you mean by rolling it out and supporting it. It could > mean publishing ROAs for your/their prefixes, or it could mean verifying > announcements against the database of published ROAs. > > A ROA (Route Origin Authorisation) is a signed digital attestation that an > ASN has explicit permission to originate a prefix. You can publish these > in MyAPNIC. It is a good idea to do this and to express your intent > correctly because once you have published your ROAs it means networks who > do ROA verification (what I think you mean by rolling out RPKI) are less > likely to accept and propagate hijack attempts for your prefixes. You can > also indicate whether a prefix deaggregates should appear in the default > free routing table so it's a really good way to limit your exposure to > spoof origin attempts. > > You don't need your equipment to support the verification of ROAs in order > to publish ROAs for your prefixes, nor do you need your equipment to > support it if your upstream does. Note, the majority of large networks are > today filtering RPKI invalid prefixes. Doing RPKI filtering on your > network is a good idea to prevent your customers from sending traffic to > prefix hijackers instead of rightful originators. > > In other words, their notification means many networks can do nothing, but > you should check that your RPKI data (if published) in MyAPNIC is not wrong > (or you're going to fall offline), and publish valid RPKI data anyway to > protect your customers! > > > Plus some quick googling seems to suggest its currently flawed.. > > Beware quick googling; today's RPKI not full BGPSEC but it's a great step > towards preventing accidental and many deliberate hijack attempts. > > Andy > > _______________________________________________ > AusNOG mailing list > [email protected] > http://lists.ausnog.net/mailman/listinfo/ausnog > -- Narelle [email protected]
_______________________________________________ AusNOG mailing list [email protected] http://lists.ausnog.net/mailman/listinfo/ausnog
