Dear Carlos, LACNIC, and wider community,
I very much appreciate how LACNIC worked with various stakeholders
before publicly commiting to the schedule outlined in Carlos' email.
>From what I can see, LACNIC pro-actively and properly tested their
purported post-migration environment with very
On Mon, Feb 26, 2024 at 05:41:12PM +, Ray Orsini via NANOG wrote:
> What tools are you using to monitor BGP announcements and route changes?
The wonderful BGP.tools already has been mentioned a few times.
Another excellent option is https://Packetvis.com, I find their RPKI
monitoring
On Mon, Feb 12, 2024 at 05:01:35PM -0600, Richard Laager wrote:
> On 2024-02-12 15:18, Job Snijders via NANOG wrote:
> > On Mon, Feb 12, 2024 at 04:07:52PM -0500, Geoff Huston wrote:
> > > I was making an observation that the presentation material was
> > > referr
On Mon, Feb 12, 2024 at 04:07:52PM -0500, Geoff Huston wrote:
> > On 12 Feb 2024, at 3:14 pm, Job Snijders via NANOG wrote:
> > At NANOG 90, Merit presented on their IRRd v4 deployment. At the
> > microphone Geoff Huston raised a comment which I interpreted as:
> >
Dear all,
At NANOG 90, Merit presented on their IRRd v4 deployment. At the
microphone Geoff Huston raised a comment which I interpreted as:
"Can an exception be made for my research prefixes?"
There are two sides to this:
INSERTING RPKI-invalid route/route6 objects
On Tue, Jan 30, 2024 at 07:28:01PM +0300, Frank Habicht wrote:
> I believe that the entry of
> route: 0.0.0.0/32
>
> does not serve any good purpose?
I don't think so either, I've created an issue to prevent that in future
releases of IRRd v4: https://github.com/irrdnet/irrd/issues/906
Dear all,
Happy new year everyone! Having just closed chapter 2023 - let's look
back at the previous year.
In this memo I'll share some RPKI statistics, summarize highlights from
the IETF Standards Development process, and reflect on emerging trends.
Year to Year Growth of the distributed RPKI
Dear NANOG,
It appears the WHOIS service at whois.radb.net is now filtering out
RPKI-invalid IRR route/route6 objects for common expansion queries!
This really is exciting and excellent news. I'll elaborate a bit on what
this exactly means.
Example ROA & IRR object
Take
Dear Amir,
On Fri, Nov 10, 2023 at 06:02:48PM -0500, Amir Herzberg wrote:
> We will present our new work, titled: `BGP-iSec: Improved Security of
> Internet Routing Against Post-ROV Attacks', in NDSS'24.
>
> If you're interested in security of Internet routing (BGP), and want a
> copy, see URL
On Tue, Oct 24, 2023 at 05:28:31PM -0700, Owen DeLong wrote:
> Yes, but we weren’t talking about an IXP here.
> We’re talking about an ISP.
Sure, perhaps you were
I intended to submit an example where a resource holder constructively
uses a ROA designating AS 0 as purported originator, actually
On Sun, 22 Oct 2023 at 20:33, Tom Beecher wrote:
> Basically, I guess, it means that the AS 0 solution shouldn't be used, at
>> least not usually.
>>
>
> It's like everything else. Understand what the tools do and what they
> don't do, and use them appropriately.
>
A primary risk for an IXP is
On Sun, 22 Oct 2023 at 19:35, Owen DeLong wrote:
> Actually, Job, the 1.2.0/20 would be the longest prefix announced for
> 1.2.4/24 and 1.2.7/24 in this case. It’s a rather clever end-run. The /20
> won’t match the more specific as0 ROAs, so it gets accepted. The /24s
> either aren’t advertised
On Sun, 22 Oct 2023 at 18:10, William Herrin wrote:
> Then someone comes along and advertises a portion of the RIR space
> larger than any allocation. Since your subnet is intentionally absent
> from the Internet, that larger route draws the packets allowing a
> hijack of your address space.
>
>
On Sun, 22 Oct 2023 at 17:42, Amir Herzberg wrote:
> Bill, thanks! You explained the issue much better than me. Yes, the
> problem is that, in my example, the operator was allocated 1.2.4/22 but
> the attacker is announcing 1.2.0/20, which is larger than the allocation,
> so the operator
On Thu, 19 Oct 2023 at 12:12, Aftab Siddiqui
wrote:
> A quick check to my routing table suggests that I have 206700
> preferred routes (v4/v6) to notfound (unknown) destinations. So yeah I
> don't think anyone can afford to do this right now.
>
I don’t think anyone can afford to ever do this,
On Thu, 19 Oct 2023 at 11:56, Owen DeLong wrote:
>
> On Thu, 19 Oct 2023 at 11:46, Owen DeLong via NANOG
> wrote:
>
>> A question for network operators out there that implement ROV…
>>
>> Is anyone rejecting RPKI unknown routes at this time?
>>
>> I know that it’s popular to reject RPKI invalid
On Thu, 19 Oct 2023 at 11:46, Owen DeLong via NANOG wrote:
> A question for network operators out there that implement ROV…
>
> Is anyone rejecting RPKI unknown routes at this time?
>
> I know that it’s popular to reject RPKI invalid (a ROA exists, but doesn’t
> match the route), but I’m
Dear Martin,
On Wed, Oct 11, 2023 at 10:01:53AM +0200, Martin Pels wrote:
> I think this is important work.
Thanks!
> As you indicated in your mail you have spent quite some time compiling
> the constraints files in the appendix. Keeping them up to date
> requires tracking allocations and
Dear all,
Please see the below announcement, I think this is really good news!
RPKI-based filtering at large databases and mirror services like RADB
really helps take the sting out of potentially harmful RPKI-invalid IRR
route objects. This will positively impact operators who use bgpq3, irrpt,
Dear Matthew,
See below
On Tue, 26 Sep 2023 at 20:49, Matthew Petach wrote:
>
> Job,
>
> This looks fantastic, thank you!
>
> For my edification and clarification, the reason you don't need a
>
> deny 2000::/3
>
> or
>
> deny 0::/0
>
> at the bottom of the ARIN list of allows is that every
Dear all,
Two weeks ago AFRINIC was placed under receivership by the Supreme Court
of Mauritius. This event prompted me to rethink the RPKI trust model and
associated risk surface.
The RPKI technology was designed to be versatile and flexible to
accommodate a myriad of real-world deployment
On Fri, Sep 01, 2023 at 11:54:57AM +0100, Nick Hilliard wrote:
> it's not really. If the receiving BGP stack understands the attribute,
> then it should be parsed as default, i.e. carefully. Unfortunately,
> junos slipped up on this and didn't validate the input correctly,
> which is a parsing
On Fri, 11 Aug 2023 at 17:54, Graham Johnston via NANOG
wrote:
> I've been busy over the last few days trying to clean up IRR information
> for our subnets and issue ROAs for our address space. Invariably I came
> across stale entries in various IRR databases. They aren't really hurting
> me,
Dear Mark,
Thank you for sharing all the details in your previous email. For
brevity I'm snipping most of your reply.
On Tue, Aug 08, 2023 at 03:59:19PM +, Mark Kosters wrote:
> Job Snijders wrote:
>
> > Would it not be advantageous to create at a minimum the 256 of the
> > 'least-specific'
Dear John, ARIN, NANOG,
On Mon, Aug 07, 2023 at 06:24:09PM +, John Curran wrote:
> We have made some fairly significant changes for those customers using
> ARIN Online for routing security administration – see attached message
> for specifics.
Yes, significant changes! I very much appreciate
Heya NANOG,
I thought this email conversation might be of interest to the group:
https://mailarchive.ietf.org/arch/msg/sidrops/RdbccLbXEHUrmmdIS5K9GOdJFXA/
Kind regards,
Job
- Forwarded message from Job Snijders -
Date: Fri, 19 May 2023 20:54:26 +0200
From: Job Snijders
To:
Dear John,
On Tue, Jan 03, 2023 at 08:57:47PM +, John Curran wrote:
> NANOGers -
>
> FYI - ARIN Online now has FIDO2/Passkey as an option for two-factor
> authentication (2FA) - this is a noted priority for some
> organizations.
Thank you for sharing this wonderful news! I tried the new
Dear all,
With 2023 at our doorstep, I'd like to share some perspective on how
RPKI evolved in the year 2022.
Impact on the Global Internet Routing System
Decision makers might wonder: is investing time and resources worth it?
What is the
On Sat, Dec 17, 2022 at 04:58:18PM -0800, Randy Bush wrote:
> https://www.rfc-archive.org/getrfc?rfc=9092
>
> and note that massimo has a collio toolset
>
> https://github.com/massimocandela/geofeed-finder
Rpki-client (version 8.2 and higher) supports authenticating signed
Geofeed data
The Internet delivers when we need it the most! :-)
https://is2000slash12announcedagain.com/
Props to Ben Cartwright-Cox
Hi all,
On Wed, Dec 07, 2022 at 08:24:54PM -0800, Ryan Hamel wrote:
> AS3356 has been announcing 2000::/12 for about 3 hours now, an aggregate
> covering over 23K prefixes (just over 25%) of the IPv6 DFZ.
A few months ago I wrote: "Frequently Asked Questions about 2000::/12
and related routing
Hi all,
It appears PacketVis correctly identified an issue.
AFRINIC's self-signed root AfriNIC.cer [1] points via its SIA to
'afrinic-ca.cer' [2] which in turn references a RPKI Manifest named
'K1eJenypZMPIt_e92qek2jSpj4A.mft'.
The K1eJenypZMPIt_e92qek2jSpj4A Manifest lists 499 Certificate
Dear 孙乐童,
On Mon, Nov 07, 2022 at 08:40:57PM +0800, 孙乐童 wrote:
> We learned from Cloudflare's https://isbgpsafeyet.com/ that some ASes
> have deployed RPKI Origin Validation (ROV). However, we downloaded BGP
> collection data from RouteViews and RipeRis platforms and found that
> some ROV-ASes
Hi Dustin, others,
Sure thing! Someone from the Fastly peering team will follow up with you
off-list.
Information about peering with Fastly: https://www.peeringdb.com/asn/54113
and https://www.fastly.com/peering/
Kind regards,
Job
On Fri, 30 Sep 2022 at 14:39, Dustin Brooks wrote:
> Can
Dear all,
I'd like to ask help from the EBGP hivemind: the shiny new BGP looking
glass at https://lg.ring.nlnog.net/ supports displaying text strings
mapped from BGP community values (both simple and large communities).
Mapping BGP Community values to simple English human-readable text
phrases
Dear Mark,
I’ll follow up off-list.
Kind regards,
Job
On Fri, 16 Sep 2022 at 20:06, Mark Spring wrote:
> In short, I am having issues with a couple of our subnets not being able
> to traverse a fastly peer which I don't manage, it is upstream from me. I
> need to get this resolved as it is
On Tue, Aug 30, 2022 at 01:28:18PM -0700, Hugo Slabbert wrote:
> @Job:
>
> Thanks! I was aware of the RIPE whois option, but the relevant resources
> for us are in ARIN. I wasn't aware of the RPSL *remark* option for
> providing that. We should be able to give that a bash.
Hmmm, there might be
Dear Hugo,
On Tue, Aug 30, 2022 at 12:34:41PM -0700, Hugo Slabbert wrote:
> Google folks:
>
> I see historical reference to needing to use the Google Peering Portal (
> http://peering.google.com) if you need to provide Google with geofeed info
> for GeoIP info on network blocks, ref
>
Heya,
On Wed, Aug 24, 2022 at 09:17:03AM +0200, Claudio Jeker wrote:
> On Tue, Aug 23, 2022 at 08:07:29PM +0200, Job Snijders via NANOG wrote:
> > In this sense, ASPA (just by itself) suffers the same challenge as
> > RPKI ROA-based Origin Validation: the input (the BGP AS_PATH)
Hi Douglas, group,
On Tue, Aug 23, 2022 at 03:03:31PM -0300, Douglas Fischer wrote:
> I was thinking a little about this case...
>
> I'm almost certain that this case cited by Siyuan would have been
> avoided if there was a cross-check between the items contained in the
> AS-SET objects (and
On Tue, Aug 23, 2022 at 05:18:42PM +, Compton, Rich A wrote:
> I was under the impression that ASPA could prevent route leaks as well
> as path spoofing. This "BGP Route Security Cycling to the Future!"
> presentation from NANOG seems to indicate this is the case:
>
Dear Siyuan, others,
Thank you for the elaborate write-up and the log snippets. You
contributed a comprehensive overview of what transpired from a
publicly-visible perspective, what steps led up to the strike.
I want to jump in on one small point which I often see as a point of
confusion in our
On Fri, Aug 05, 2022 at 11:16:03AM -0400, Justin Wilson (Lists) wrote:
> Whats the availability of two byte asns look like? Anyone able to
> obtain one recently?
Yes, at $work we obtained one recently (without hassle, thank you ARIN
hostmasters!).
So, I recommend to follow normal procedure and
Hi Randy,
On Sun, 19 Jun 2022 at 23:07, Randy Bush wrote:
> >> It will also take much less RAM if you turn RPKI validation off.
> >
> > oh dear ghod. do i need to turn the dancing donkeys off too?
> >
> > "Make each program do one thing well. To do a new job, build afresh
> > rather than
Hi,
I recommend taking a look at
https://github.com/nttgin/BGPalerter
https://www.lacnic.net/innovaportal/file/4489/1/bgpalerter_lacnic33.pdf
It offers a great blend of BGP and RPKI ROA monitoring
Kind regards,
Job
On Wed, 15 Jun 2022 at 16:45, Mehmet Akcin wrote:
> Hi there
>
> What are
On Wed, May 11, 2022 at 01:22:32PM -0600, Grant Taylor via NANOG wrote:
> On 5/11/22 10:53 AM, Job Snijders via NANOG wrote:
> > This knob slightly increase your own memory consumption, but makes your
> > router more “neighbourly”! :-)
>
> I question how accurate &
Hi!
In current versions I think enabling “soft-reconfiguration-inbound always”
(also described at
https://bgpfilterguide.nlnog.net/guides/reject_invalids/#cisco-ios-xr )
should be enough.
Make sure to enable it on every EBGP peer you apply ROV to, or just all
EBGP peers.
This knob slightly
Hi Shawn,
On Wed, Apr 20, 2022 at 01:14:29PM -1000, Shawn wrote:
> What is the best practice (or peoples preferred methods) to
> update/correct/maintain geolocation data?
> Do most people start with description field info in route/route6 objects?
>
> [snip]
>
> Maybe I am not using the magic
Hi Dan!
You highlight a common pitfall in IRR-based prefix filter generation.
On Mon, Apr 11, 2022 at 09:56:59AM -0700, Dan Mahoney (Gushi) wrote:
> [snip]
> as-set: AS-PEERS
> descr: Peer AS Numbers
> members:AS132251,AS132561,AS132516
> source: APNIC
>
>
On Mon, Apr 04, 2022 at 06:35:31PM -0400, Jon Lewis wrote:
> On Tue, 5 Apr 2022, Job Snijders wrote:
> > > Are others jumping ship or planning to from ALTDB (no offense intended,
> > > and
> > > grateful for the service you've provided) and other non-auth IRRs like
> > > RADB
> > > due to
Dear Jon, others,
On Mon, Apr 04, 2022 at 05:48:42PM -0400, Jon Lewis wrote:
> On Mon, 4 Apr 2022, Kenneth Finnegan wrote:
> > While I agree that it might be politically entertaining to let this
> > one blow up as a demonstration of how ARIN conducts business, this
> > list of networks includes
Dear all,
On Sat, Apr 02, 2022 at 09:09:58PM +, John Curran wrote:
> As previously reported here, ARIN will be shutting down the
> ARIN-NONAUTH IRR database on Monday, 4 April 2022 at 12:00 PM ET.
>
> It is quite likely that some network operators will see different
> route processing as a
Hi all,
It's super official now: no more software bugs in networking gear.
Sorry it took so long to document what the best current practise is!
Kind regards,
Job / Chris / Remco
- Forwarded message from rfc-edi...@rfc-editor.org -
Date: Fri, 1 Apr 2022 10:17:37 -0700 (PDT)
From:
On Wed, Mar 30, 2022 at 01:29:25PM +, Drew Weaver wrote:
> Ex 45.176.191.0/24 3356 3549 11172 270150
>
> RPKI ROA entry for 45.176.191.0/24-24
> Origin-AS: 265621
>
> Two questions:
>
> First, are you also seeing this on this specific route?
It is visible in a few places, but the 61%
On Mon, Mar 28, 2022 at 12:33:05PM +, Drew Weaver wrote:
> Is anyone else seeing this route destined for Twitter in the US being
> directed through 8359 announced by 8342?
>
> 104.244.42.0/24
>
> Just curious, replies off list welcome.
Seems visible in a handful of places:
$ w3m -dump
Hi Allen,
Yes, it can be this quiet. It’s good news, it means the thing is mostly
working :-)
I wish everyone a happy and calm 2022!
Kind regards,
Job
On Mon, 3 Jan 2022 at 20:47, Allen McKinley Kitchen (gmail) <
allenmckinleykitc...@gmail.com> wrote:
> Or has NANOG also succumbed to a
Hi all,
On Fri, 17 Dec 2021 at 19:50, Adrian Perrig wrote:
> other proposed approaches such as RPKI that only protects a route’s origin
> first AS, or BGPsec that requires widespread adoption and significant
> infrastructure upgrades.
>
For both RPKI-based BGP Route Origin Validation and
Hi Anurag,
Circular dependencies definitely are a thing to keep in mind when designing
IRR and RPKI pipelines!
In the case of IRR: It is quite rare to query the RIR IRR services
directly. Instead, the common practise is that utilities such as bgpq3,
peval, and bgpq4 query “IRRd”
On Fri, Oct 29, 2021 at 01:20:33AM +0400, Musa Stephen Honlue wrote:
> Personally I recommend dropping them invalids.
100%
> However, you could set local preferences as follows:
> - Valids routes get the highest local pref
> - unknown routes get a medium local pref
> - Invalids routes get the
On Tue, Oct 26, 2021 at 04:58:20PM -0700, Randy Bush wrote:
> i run a FORT RPKI relying party instance. i am looking for some
> visibility into its operation.
>
> is it up: both ways, fetching and serving routers?
>
> from what CAs has it pulled, how recently and frequently with
> what
Dear Edvinas,
On Mon, Oct 25, 2021 at 11:49:09PM +0300, Edvinas Kairys wrote:
> We're thinking of enabling BGP ROA, because more and more ISPs are using
> strict RPKI mode.
>
> Does enabling Hosted Mode (where it doesn't requires any additional
> configuration on client end) on RPKI could for
On Mon, Oct 25, 2021 at 04:20:28PM -0400, Jared Mauch wrote:
> Some of the other CDNs do have IPv6 on the authorities and
> should work without issues.
>
> eg:
>
> dig -6 +trace www.akamai.com.
Yes of course :-)
dig -6 +trace www.fastly.com.
Kind regards,
Job
Hi everyone, goedenmiddag Marco!
On Fri, Oct 22, 2021 at 01:40:42PM +0200, Marco Davids via NANOG wrote:
> We currently live in times where is actually fun to go IPv6-only. In my
> case, as in: running a FreeBSD kernel compiled without the IPv4-stack.
Indeed, this is fun experimentation. Shaking
Dear Lee,
*ring ring* - "IRR/RPKI helpdesk how may I help you today?" :-)
On Fri, Oct 22, 2021 at 08:25:10AM -0500, Lee Fawkes wrote:
> I have a couple of questions about best practices for Internet Routing
> Registries. I'm able to find lots of documentation about *how* to do
> things, but not
Hi Bryan,
On Thu, 16 Sep 2021 at 19:53, Bryan Holloway wrote:
> Hey all ... looking for a Fastly (54113) peering contact that might be
> able to get me in touch with the right folks to do stuff.
I’ll follow up with you off-list.
Kind regards,
Job
Dear Rubens,
On Mon, Aug 09, 2021 at 08:41:48AM -0300, Rubens Kuhl wrote:
> From a Cogent support ticket:
>> Please see the attached LOA.
>>
>> Regarding the RPKI ROA, for now, we don't create ROA for our prefixes
>> nor for prefixes that we assign to our customers and we don't plan to
>> do it.
On Mon, May 24, 2021 at 02:04:32PM -0400, Luca Salvatore wrote:
> Curious if anyone is aware of other Tier1s deprecating support for RADB?
Rather than deprecating RADB, I think the industry would be better off
if either RADB or the Tier1s (in their local caching layer) deploy IRR
database
Dear Ruben, all,
On Tue, Apr 27, 2021 at 10:18:32PM -0300, Rubens Kuhl wrote:
> TC IRR, an IRR operator focused on Brazilian networks, just changed to
> IRRd 4.2. The new version allowed TC to deploy RPKI validation
> (thanks NTT for sponsoring that development) and expose HTTPS
> endpoints for
Hi Robert, NANOG,
On Mon, Apr 26, 2021 at 09:29:27AM -0400, Robert Blayzor via NANOG wrote:
> According to Cloudflares isbgpsafeyet.com, Cogent has been considered "safe"
> and is filtering invalids.
>
> But I have found that to be untrue (mostly). It appears that some days they
> filter IPv4,
On Thu, Apr 22, 2021 at 02:29:31PM +0300, Alexandre Snarskii wrote:
> 9002. Hit by Juniper PR1562090, route stuck in DeletePending..
> Workaround applied, sessions with 6939 restarted, route is gone.
Thank you for the details and clearing the issue.
Kind regards,
Job
On Wed, Apr 21, 2021 at 09:22:57PM +, Jakob Heitz (jheitz) wrote:
> I'd like to get some data on what actually happened in the real cases
> and analyze it.
>
> [snip]
>
> TCP zero window is possible, but many other things could
> cause it too.
Indeed. There could be a number of reasons that
Dear Jakob, group,
On Wed, Apr 21, 2021 at 08:59:06PM +, Jakob Heitz (jheitz) via NANOG wrote:
> Ben's blog details an experiment in which he advertises routes and then
> withdraws them, but some of them remain stuck for days.
>
> I'd like to get to the bottom of this problem.
I think there
Dear John,
Thank you for extending the deadline with another 6 months. Obviously 6
months amidst a global pandamic would never be enough time. :-)
Both John Sweeting [1] and myself [2] assert there are tens of thousands
of objects for which the relationship between the object's existence and
the
Dear Hank,
On Sat, Feb 20, 2021 at 07:37:08PM +0200, Hank Nussbacher wrote:
> Is there a place where one can examine RPKI invalid logs for a specific date
> & time
I have set up a publicly accessible archiver instance in Dallas, and one
in Amsterdam which capture and archive data every 20
On Tue, Feb 16, 2021 at 01:37:35PM -0600, John Kristoff wrote:
> I'd like to start a thread about the most famous and widespread Internet
> operational issues, outages or implementation incompatibilities you
> have seen.
>
> Which examples would make up your top three?
This was a fantastic
On Mon, Feb 08, 2021 at 04:02:14PM -0500, Justin Wilson (Lists) wrote:
> I enabled 134.195.47.1 on one of our routers.
Cool! I noticed the following: from many NLNOG RING nodes I can reach
that IP address, but not from 195.66.134.42:
deepmedia01.ring.nlnog.net:~$ mtr -z -w -r 134.195.47.1
Dear Justin,
On Mon, Feb 08, 2021 at 03:14:47PM -0500, Justin Wilson (Lists) wrote:
> It acts like the IP block was blacklisted at some point and got on
> some bad lists but I don’t want ti limit myself to that theory.
> I have opened up a ticket with ARIN asking for any guidance. Has
> anyone
77 matches
Mail list logo