<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Dear Colleagues,</p>
<p>Hope all of you are safe and well during this critical time.</p>
<p>Seeing my post about checking your BGP safety using
<a class="moz-txt-link-freetext" href="https://isbgpsafeyet.com">https://isbgpsafeyet.com</a> or <a class="moz-txt-link-freetext" href="https://www.ripe.net/s/rpki-test">https://www.ripe.net/s/rpki-test</a> ,
Many of you reached out to me and asked what should you do if your
result is not positive.</p>
<p>The way those tests work is simply accessing a RPKI VALID
destination and an RPKI INVALID destination. If you can access the
VALID only (and not the INVALID one), that means you or your ISP
is doing RPKI Origin Validation and dropping INVALID routes. If
your PC can access the INVALID destination means you or your ISP
is NOT doing validation.</p>
<p>It is expected that ISPs perform Route Origin Validation. But
origin validation has some (kind of) prerequisites:</p>
<p>1. You have full BGP routing table<br>
2. You drop default route from all of your external peers/transits<br>
</p>
<p>If you receive full BGP table from your transits/peers, RPKI
Route Origin Validation is straight forward, you can use open
source validator like NLnetLabs' Routinator, RIPE NCC's RPKI
Validator, Cloudflare's OctoRPKI, LACNIC's FORT etc.</p>
<p><font color="#ff2600">If you receive only a default route or
partial BGP routes from your peers/transits, please ask them to
do RPKI validation for you. And, I really mean that. You should
ask them for it, please do not remain silent thinking that this
is not your job. It is your responsibility to make your BGP
secure. If it requires engaging your transits/peers, please talk
to them and ensure that they are doing validation.<br>
</font></p>
<p>Thanks,<br>
Awal<br>
</p>
</body>
</html>