Hello, On Sat, 20 Mar 2021 at 20:06, Hank Nussbacher <[email protected]> wrote: > I am not sure it is possible, but I would love to see some centralized > site where all dropped ROV invalids would appear. This way I can see if > I have a problem as well as if someone tried to hijack my space but was > thwarted by the drop.
Monitoring ROV invalids in other people's networks (validators; routers) is not possible and I doubt it ever will be. What you can do is monitor your IP space for hijacks (whether ROA's exist or not) and generally ROV invalids. Like Randy mentioned, bgpalerter is a great tool for this job. If you roll your own custom CA, you should monitor it against different validator instances. But this is a valid point: I definitely believe that most operators don't really monitor their validation instances for periodic successful validation, their RTR servers for not serving stale data and their RTR clients for not using stale data (for whatever reasons, including bugs and misconfigurations). Just pinging your validator or check for a SYN-ACK on the RTR port is not enough monitoring, I'm afraid. Also see: https://labs.ripe.net/Members/lukas_tribus/rpki-rov-about-stale-rtr-servers-and-how-to-monitor-them https://lists.nlnetlabs.nl/pipermail/rpki/2021-March/000275.html Given the lack of discussions about the topic of properly monitoring validation and RTR state, and the definitely non-zero amount of issues with this exact issue, I think it's safe to assume that for the most part proper monitoring in the production networks out there is not happening today. cheers, lukas
