[bdNOG] RPKI Origin Validation

Sun Apr 19 17:22:06 BDT 2020

Dear Colleagues,

Hope all of you are safe and well during this critical time.

Seeing my post about checking your BGP safety using
https://isbgpsafeyet.com or https://www.ripe.net/s/rpki-test , Many of
you reached out to me and asked what should you do if your result is not
positive.

The way those tests work is simply accessing a RPKI VALID destination
and an RPKI INVALID destination. If you can access the VALID only (and
not the INVALID one), that means you or your ISP is doing RPKI Origin
Validation and dropping INVALID routes. If your PC can access the
INVALID destination means you or your ISP is NOT doing validation.

It is expected that ISPs perform Route Origin Validation. But origin
validation has some (kind of) prerequisites:

1. You have full BGP routing table
2. You drop default route from all of your external peers/transits

If you receive full BGP table from your transits/peers, RPKI Route
Origin Validation is straight forward, you can use open source validator
like NLnetLabs' Routinator, RIPE NCC's RPKI Validator, Cloudflare's
OctoRPKI, LACNIC's FORT etc.

If you receive only a default route or partial BGP routes from your
peers/transits, please ask them to do RPKI validation for you. And, I
really mean that. You should ask them for it, please do not remain
silent thinking that this is not your job. It is your responsibility to
make your BGP secure. If it requires engaging your transits/peers,
please talk to them and ensure that they are doing validation.

Thanks,
Awal

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.bdnog.org/pipermail/nog/attachments/20200419/f92a3d83/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.bdnog.org/pipermail/nog/attachments/20200419/f92a3d83/attachment.pgp>