> On 25 May 2022, at 5:45 am, Jakob Heitz (jheitz) via NANOG
> wrote:
>
> This attack will work very well until the victim starts advertising
> its prefix. The victim may not notice the fake advertisement because the fake
> advertisement will not reach the victim AS due to AS-path loop
This attack will work very well until the victim starts advertising
its prefix. The victim may not notice the fake advertisement because the fake
advertisement will not reach the victim AS due to AS-path loop checking.
So potential victims must advertise all prefixes that they register in
RPKI or
On Tue, 24 May 2022 at 11:23, Max Tulyev wrote:
> To make a working hijack of the routed prefix (for sniffing traffic,
> DDoS or something similar), you have to announce a more specific
> prefix(es). It can be denied by RPKI.
>
> If you signed RPKI prefix is still unannounced - yes, somebody can
15.05.22 00:19, Nick Hilliard пише:
a malicious actor will spoof the origin AS. The aim of RPKI to help
stop mis-origination of prefixes, and the root cause of most of this is
accidental.
To make a working hijack of the routed prefix (for sniffing traffic,
DDoS or something similar), you
2 12:09 AM
To: Jakob Heitz (jheitz)
Cc: nanog@nanog.org
Subject: Re: Newbie x Cisco IOS-XR x ROV: BCP to not harassing peer(s)
On Sat, 14 May 2022 at 00:17, Jakob Heitz (jheitz) wrote:
Hey Jakob,
> 'RPKI-tested-only' will store all routes that encounter a 'validation-state'
> test
> i
> In the end, the reason for all this RPKI-thingy is to prevent route
> spoofing by malicious actors.
sigh. for my quarterly posting of the same many year old text
To be clear, as people keep calling BGP security 'RPKI',
RPKI
The RPKI is an X.509 based hierarchy [RFC 6481] which is
Hank Nussbacher wrote on 14/05/2022 19:15:
In the end, the reason for all this RPKI-thingy is to prevent route
spoofing by malicious actors.
a malicious actor will spoof the origin AS. The aim of RPKI to help
stop mis-origination of prefixes, and the root cause of most of this is
On 14/05/2022 00:16, Jakob Heitz (jheitz) via NANOG wrote:
'RPKI-dropped-only' causes the dropped routes to be stored. This will prevent
the unnecessary route-refreshes described above. It does not prevent all
route-refreshes, but uses significantly less memory than 'RPKI-tested-only'
set both in operational manner by not inflating config sizes and
cause commits to fail and by improving routing security.
>
> Regards,
> Jakob.
>
> -Original Message-
> From: Saku Ytti
> Sent: Friday, May 13, 2022 12:36 AM
> To: Jakob Heitz (jheitz)
> Cc: nanog@
On 5/13/22 23:16, Jakob Heitz (jheitz) via NANOG wrote:
'RPKI-tested-only' will store all routes that encounter a 'validation-state'
test
in the inbound route policy. In that case, when an RPKI server updates a VRP to
the
router, it can re-run the inbound policy from the stored route and
not prevent all
route-refreshes, but uses significantly less memory than 'RPKI-tested-only'
Regards,
Jakob.
-Original Message-
From: Saku Ytti
Sent: Friday, May 13, 2022 12:36 AM
To: Jakob Heitz (jheitz)
Cc: nanog@nanog.org
Subject: Re: Newbie x Cisco IOS-XR x ROV: BCP to not harassing
On Fri, 13 May 2022 at 00:44, Jakob Heitz (jheitz) via NANOG
wrote:
> RPKI-dropped-only
> Saves a copy of only the routes dropped by an RPKI validation-state test in
> neighbor-in route-policy.
>
> RPKI-tested-only
> Saves a copy of only the routes tested in an RPKI validation-state test in
>
On 5/12/22 23:40, Jakob Heitz (jheitz) via NANOG wrote:
To address the risk of somebody exhausting your memory by dumping a ton of
routes on you,
we added two new options to "soft-reconfiguration inbound" in IOS-XR.
RPKI-dropped-only
Saves a copy of only the routes dropped by an RPKI
rible time with it.
Regards,
Jakob.
-Original Message-
Date: Wed, 11 May 2022 14:31:28 -0700
From: Randy Bush
To: Pirawat WATANAPONGSE via NANOG
Subject: Re: Newbie x Cisco IOS-XR x ROV: BCP to not harassing peer(s)
and upstream(s)
Message-ID:
Content-Type: text/plain; charset=US-ASCII
&g
> Is setting 'Soft Reconfiguration' enough for me to keep ROV running?
yes, should be.
> If not, is there any other solution?
yes. jakob says he has implemented
https://datatracker.ietf.org/doc/draft-ietf-sidrops-rov-no-rr/, though i
do not known in what xr image(s)
randy
Wed, May 11, 2022 at 09:36:36PM +0200, Lukas Tribus:
> True and the amount of memory used per prefix also depends on things
> like BGP communities.
>
> When I tested this, on 32 bit XR I had a memory increase of about 400
> MB for a full feed 2 years ago.
it depends on the architechture, the
On Wed, 11 May 2022 at 21:22, Grant Taylor via NANOG wrote:
>
> On 5/11/22 10:53 AM, Job Snijders via NANOG wrote:
> > This knob slightly increase your own memory consumption, but makes your
> > router more “neighbourly”! :-)
>
> I question how accurate "slightly" is.
>
> My understanding is that
On Wed, May 11, 2022 at 01:22:32PM -0600, Grant Taylor via NANOG wrote:
> On 5/11/22 10:53 AM, Job Snijders via NANOG wrote:
> > This knob slightly increase your own memory consumption, but makes your
> > router more “neighbourly”! :-)
>
> I question how accurate "slightly" is.
>
> My
On 5/11/22 10:53 AM, Job Snijders via NANOG wrote:
This knob slightly increase your own memory consumption, but makes your
router more “neighbourly”! :-)
I question how accurate "slightly" is.
My understanding is that soft reconfiguration inbound (whatever the
syntax for a given IOS is)
Wed, May 11, 2022 at 07:29:04PM +0200, Mark Tinka:
> On 5/11/22 18:53, Job Snijders via NANOG wrote:
> > In current versions I think enabling “soft-reconfiguration-inbound
> > always” (also described at
> > https://bgpfilterguide.nlnog.net/guides/reject_invalids/#cisco-ios-xr
> > ) should be
Hi,
If you are running "soft-reconfiguration inbound rpki-droppped-only" on
IOS-XR7, please note CSCwb17937. We had a terrible time with this.
Best regards,
takez
> 2022/05/12 1:43、Pirawat WATANAPONGSE via NANOG のメール:
>
> Dear Guru(s),
>
>
> We used to run our ‘Gateway Router’ with ROV
On 5/11/22 18:53, Job Snijders via NANOG wrote:
Hi!
In current versions I think enabling “soft-reconfiguration-inbound
always” (also described at
https://bgpfilterguide.nlnog.net/guides/reject_invalids/#cisco-ios-xr
) should be enough.
Make sure to enable it on every EBGP peer you apply
Hi!
In current versions I think enabling “soft-reconfiguration-inbound always”
(also described at
https://bgpfilterguide.nlnog.net/guides/reject_invalids/#cisco-ios-xr )
should be enough.
Make sure to enable it on every EBGP peer you apply ROV to, or just all
EBGP peers.
This knob slightly
Dear Guru(s),
We used to run our ‘Gateway Router’ with ROV turned on.
Then, we “upgraded” it to a Cisco NCS-55A1 (5500 Series) running IOS-XR
just a few weeks ago.
Consequently, during my rummage through Google for a (the?) best (ROV)
configuration template for the new router,
I found a
24 matches
Mail list logo
