On Sat, Jul 18, 2020 at 2:04 AM Anurag Bhatia <me@anuragbhatia.com> wrote:
Hello INNOG community!As many of you might be aware - there's a major effort ongoing for deploying RPKI across the globe. At my daytime job (at Hurricane Electric / AS6939) we recently deployed RPKI validation. Many other large networks have also deployed RPKI in the last few months including but not limited to AT&T, KPN, GTT, Telia, Cognet, NTT, Seacom besides many larger exchanges. As far as I can see Tata Communications global AS6453 also seems to be dropping a large number of invalids (likely from their peers) besides ACT broadband which is also dropping invalids across a large part of its network.Deploying RPKI essentially has two key parts:
- Signing your own prefixes / Creating RPKI ROAs
Here you sign your prefixes. It's similar to IRR route object but technically much better as it's a cryptographic signature which can be easily validated by a supported router. Having your own prefixes signed saves you from a possible hijack attempt of your prefixes. If anyone hijacks your unsigned prefixes, the announcement would be visible almost across the globe but if they are signed, you can expect most of the networks I listed above to be dropping those invalids.- Dropping invalids
Here you are expected to drop prefixes (of others) which you see do not carry a valid RPKI ROA. This part requires the support of RPKI in your router.Both of these steps are independent of each other. A network can create ROAs without validating or vice versa. As of now when looking across South and East Asia, we (India) seems to be lagging quite badly on ROA creation.There are around 42k prefixes visible in the global table from India and out of this only 5k are signed i.e just 12%. Comparing this to our neighbours - Bangladesh is at 82%, Myanmar at 78%, Nepal & Sri Lanka at 90%, Pakistan at 73%and Taiwan + Mangolia are at 90%+ levels.I have created a public dashboard to track the deployment across Asia with a focus on India. If interested, you can check it here: https://graphs.muc.anuragbhatia.com/d/DPIj_47Mk/rpki?orgId=1If you are a network operator with IP addresses, please consider the following:
- Create an RPKI ROAs for your prefixes. If your resources are from APNIC, you can do that at My APNIC portal. If your resources are from IRINN, you can request IRINN to create ROAs for your prefixes (similar to the way you request for the route objects). You would need to inform IRINN for the Prefix + origin ASN you would like to use to originate it + the max allowed subnet mask (like /24 or /23...whatever upto size you wish to use in announcing prefix).
- Check out the invalids in India table published here: https://graphs.muc.anuragbhatia.com/d/DPIj_47Mk/rpki?viewPanel=39&orgId=1
If you see any of your prefixes here, please consider fixing those. These announcements are already being rejected by various large networks and will cause issues for your customers.If you would like to read more about RPKI, this documentation can be a good start: https://rpki.readthedocs.io/en/latest/rpki/introduction.html and if you are wondering if your hardware is supported for dropping invalids, this one covers it: https://rpki.readthedocs.io/en/latest/rpki/router-support.html#hardware-solutionsFeel free to write back here if you have any questions.