ok ok, now I understand and am a believer! some of our address space was hijacked. i did the arin.net roa entries, and BAM-O... moments later, all my routes are validated and the erroneous hijacked routes are gone! love it wanted to share and emphasize to others, if you don't have your prefixes protected at your RIR (ARIN), do it. it only takes a few minutes. https://www.arin.net/resources/manage/rpki/roa_request/ https://youtu.be/cVftieOVn1M -- -Aaron
I second this. I used to be scared of possibly going offline during the security filter updates, but I was given the advice to first get IRR route objects behind everything already advertised and then publish ROAs. ARIN's process is pretty slick that it auto-associates new ROAs with existing IRR routes. Something to remember is that some of the larger tier providers only update their filter lists daily or bi-daily. ________________________________ From: Aaron Gould via NANOG <nanog@lists.nanog.org> Sent: Thursday, May 15, 2025 12:26 PM To: nanog@lists.nanog.org <nanog@lists.nanog.org> Cc: Aaron Gould <aaron1@gvtc.com> Subject: rpki roa irr - i now believe ok ok, now I understand and am a believer! some of our address space was hijacked. i did the arin.net roa entries, and BAM-O... moments later, all my routes are validated and the erroneous hijacked routes are gone! love it wanted to share and emphasize to others, if you don't have your prefixes protected at your RIR (ARIN), do it. it only takes a few minutes. https://www.arin.net/resources/manage/rpki/roa_request/ https://youtu.be/cVftieOVn1M -- -Aaron _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/PRA2CQTR...
I too was nervous going into it. But I can say everything was seamless. I didn’t see any glitch or downtime. Interestingly, now I understand many looking glass web pages and CLI-based route servers reflect the state of RPKI… with green, yellow, valid, etc. I did my ROA entries with the actual ARIN-assigned prefix length… (e.g. /19 … /32 …etc) and then added the optional MAX length, of /24 or /48, not fully understanding the dynamic of it other than assuming it means that, I can send routes as specific as that max length and still achieve RPKI validation using said ROA entries. Someone can confirm or deny or explain if my understanding is correct about that max length setting in the ROA entries. Aaron
On May 15, 2025, at 11:35 AM, Eric C. Miller <eric@ericheather.com> wrote:
I second this. I used to be scared of possibly going offline during the security filter updates, but I was given the advice to first get IRR route objects behind everything already advertised and then publish ROAs. ARIN's process is pretty slick that it auto-associates new ROAs with existing IRR routes.
Something to remember is that some of the larger tier providers only update their filter lists daily or bi-daily. From: Aaron Gould via NANOG <nanog@lists.nanog.org> Sent: Thursday, May 15, 2025 12:26 PM To: nanog@lists.nanog.org <nanog@lists.nanog.org> Cc: Aaron Gould <aaron1@gvtc.com> Subject: rpki roa irr - i now believe
ok ok, now I understand and am a believer!
some of our address space was hijacked. i did the arin.net roa entries, and BAM-O... moments later, all my routes are validated and the erroneous hijacked routes are gone!
love it
wanted to share and emphasize to others, if you don't have your prefixes protected at your RIR (ARIN), do it. it only takes a few minutes.
https://www.arin.net/resources/manage/rpki/roa_request/
-- -Aaron
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/PRA2CQTR...
My understanding is that you should publish ROAs for exactly what you want to see in the DFZ. The max-length value has some value, but it's an attack vector that must be properly managed. In my case, we plan to advertise a /22 from each POP, so we publish a ROA with a.b.c.0/22, omitting the max-length. If I need to de-aggregate a specific prefix for any reason, I'll create a new ROA with the specific prefix. I'm tip-toe-ing around here, I'm not a RPKI pro. If someone more knowledgeable than can opine, that would be great :) Eric ________________________________ From: Aaron1 <aaron1@gvtc.com> Sent: Thursday, May 15, 2025 1:08 PM To: Eric C. Miller <eric@ericheather.com> Cc: nanog@lists.nanog.org <nanog@lists.nanog.org> Subject: Re: rpki roa irr - i now believe I too was nervous going into it. But I can say everything was seamless. I didn’t see any glitch or downtime. Interestingly, now I understand many looking glass web pages and CLI-based route servers reflect the state of RPKI… with green, yellow, valid, etc. I did my ROA entries with the actual ARIN-assigned prefix length… (e.g. /19 … /32 …etc) and then added the optional MAX length, of /24 or /48, not fully understanding the dynamic of it other than assuming it means that, I can send routes as specific as that max length and still achieve RPKI validation using said ROA entries. Someone can confirm or deny or explain if my understanding is correct about that max length setting in the ROA entries. Aaron On May 15, 2025, at 11:35 AM, Eric C. Miller <eric@ericheather.com> wrote: I second this. I used to be scared of possibly going offline during the security filter updates, but I was given the advice to first get IRR route objects behind everything already advertised and then publish ROAs. ARIN's process is pretty slick that it auto-associates new ROAs with existing IRR routes. Something to remember is that some of the larger tier providers only update their filter lists daily or bi-daily. ________________________________ From: Aaron Gould via NANOG <nanog@lists.nanog.org> Sent: Thursday, May 15, 2025 12:26 PM To: nanog@lists.nanog.org <nanog@lists.nanog.org> Cc: Aaron Gould <aaron1@gvtc.com> Subject: rpki roa irr - i now believe ok ok, now I understand and am a believer! some of our address space was hijacked. i did the arin.net roa entries, and BAM-O... moments later, all my routes are validated and the erroneous hijacked routes are gone! love it wanted to share and emphasize to others, if you don't have your prefixes protected at your RIR (ARIN), do it. it only takes a few minutes. https://www.arin.net/resources/manage/rpki/roa_request/ https://youtu.be/cVftieOVn1M -- -Aaron _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/PRA2CQTR...
nanog@lists.nanog.org (Eric C. Miller via NANOG) wrote:
My understanding is that you should publish ROAs for exactly what you want to see in the DFZ. The max-length value has some value, but it's an attack vector that must be properly managed. In my case, we plan to advertise a /22 from each POP, so we publish a ROA with a.b.c.0/22, omitting the max-length. If I need to de-aggregate a specific prefix for any reason, I'll create a new ROA with the specific prefix.
Seconded. We also do that, and we try to always push all the prefixes that fall under that ROA's claim, so we know they're in the DFZ in full glory. Which also means we try to not publish too broad a ROA (can't be avoided sometimes). I am, alas, surprised that ROAs work so well. If I - speaking theoretically! - were to hijack a network, and I was happy to only get *part* of the traffic, I'd know what to do. I would need a transit ISP that does no BCP38 though, and I REALLY hope those get fewer and fewer, but currently these ISPs exist, and *that* is the problem. The real remedy, of course, is MANRS. Promote. Elmar.
If the goal of someone were to hijack your routing, they could (should) announce it using your ASN and thus it would still be RPKI valid? On 2025-05-15 16:26, Aaron Gould via NANOG wrote:
ok ok, now I understand and am a believer!
some of our address space was hijacked. i did the arin.net roa entries, and BAM-O... moments later, all my routes are validated and the erroneous hijacked routes are gone!
love it
wanted to share and emphasize to others, if you don't have your prefixes protected at your RIR (ARIN), do it. it only takes a few minutes.
RPKI isn't the whole picture. It's about validating ORIGIN-AS. The rest of IRR is still relevant when it comes to protecting the AS-PATH. Hijacked prefixes of the same size won't travel as far nowadays because of widespread adoption amongst the larger providers. Eric ________________________________ From: Laszlo H via NANOG <nanog@lists.nanog.org> Sent: Thursday, May 15, 2025 4:59 PM To: Aaron Gould via NANOG <nanog@lists.nanog.org> Cc: Laszlo H <laszlo@heliacal.net> Subject: Re: rpki roa irr - i now believe If the goal of someone were to hijack your routing, they could (should) announce it using your ASN and thus it would still be RPKI valid? On 2025-05-15 16:26, Aaron Gould via NANOG wrote:
ok ok, now I understand and am a believer!
some of our address space was hijacked. i did the arin.net roa entries, and BAM-O... moments later, all my routes are validated and the erroneous hijacked routes are gone!
love it
wanted to share and emphasize to others, if you don't have your prefixes protected at your RIR (ARIN), do it. it only takes a few minutes.
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/KK57NLCH...
Ola! On Fri, 16 May 2025 at 06:00, Laszlo H via NANOG <nanog@lists.nanog.org> wrote:
If the goal of someone were to hijack your routing, they could (should) announce it using your ASN and thus it would still be RPKI valid?
Sure, but AS spoofing generally means a longer AS_PATHs (you’d put the spoofed thing behind a non-spoofed ASN), which is an impediment when trying to win best path selection. This posting might be of interest https://www.kentik.com/blog/how-much-does-rpki-rov-reduce-the-propagation-of... Kind regards, Job
If the goal of someone were to hijack your routing, they could (should) announce it using your ASN and thus it would still be RPKI valid?
ROV is not a serious security mechanism. it also does not wash your car. it is meant to deter mis-originations. it seems to work. randy
It worked for me. A portion of my address space was being advertised from an ISP in Africa… I quickly learned about ARIN RPKI ROA, did it, and within about 10 minutes the wrong routes was gone from looking glass/route servers and suddenly all my ARIN-assigned prefixes showed as “validated” and green. I’m wondering how this works. Do SP’s have some sort of api or bgp session with a rpki database at ARIN? I mean this all must be linked to gather somehow for it to work as nicely as it did. Aaron
On May 17, 2025, at 3:23 PM, Randy Bush via NANOG <nanog@lists.nanog.org> wrote:
If the goal of someone were to hijack your routing, they could (should) announce it using your ASN and thus it would still be RPKI valid?
ROV is not a serious security mechanism. it also does not wash your car. it is meant to deter mis-originations. it seems to work.
randy _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/VCU3LBDG...
I’m wondering how this works. Do SP’s have some sort of api or bgp session with a rpki database at ARIN? I mean this all must be linked to gather somehow for it to work as nicely as it did.
i am sure others will be better than i at pointing you to good tutorials on how rpki-based route origin validation works, but essentially it is a globally distributed database which trickles down to routers which then check if a route has a valid origin AS. randy
Yessir… it’s the “…trickle down…” that I’m curious about. Aaron
On May 17, 2025, at 5:19 PM, Randy Bush <randy@psg.com> wrote:
I’m wondering how this works. Do SP’s have some sort of api or bgp session with a rpki database at ARIN? I mean this all must be linked to gather somehow for it to work as nicely as it did.
i am sure others will be better than i at pointing you to good tutorials on how rpki-based route origin validation works, but essentially it is a globally distributed database which trickles down to routers which then check if a route has a valid origin AS.
randy
Look into your router OS of choice’s RPKI validation implementation — here’s a (somewhat dated) example for IOS-XR: https://archive.nanog.org/sites/default/files/Patel.pdf Routinator from NLnet Labs (https://www.nlnetlabs.nl/projects/routing/routinator/) is a great validation service/proxy/etc. to deploy on your local telemetry network, and have the routers pull from. On May 17, 2025, at 4:54 PM, Aaron1 via NANOG <nanog@lists.nanog.org> wrote: It worked for me. A portion of my address space was being advertised from an ISP in Africa… I quickly learned about ARIN RPKI ROA, did it, and within about 10 minutes the wrong routes was gone from looking glass/route servers and suddenly all my ARIN-assigned prefixes showed as “validated” and green. I’m wondering how this works. Do SP’s have some sort of api or bgp session with a rpki database at ARIN? I mean this all must be linked to gather somehow for it to work as nicely as it did. Aaron On May 17, 2025, at 3:23 PM, Randy Bush via NANOG <nanog@lists.nanog.org> wrote: If the goal of someone were to hijack your routing, they could (should) announce it using your ASN and thus it would still be RPKI valid? ROV is not a serious security mechanism. it also does not wash your car. it is meant to deter mis-originations. it seems to work. randy _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/VCU3LBDG... _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/PA3RR4CP...
On Thu, May 15, 2025 at 11:26:11AM -0500, Aaron Gould via NANOG wrote:
ok ok, now I understand and am a believer!
some of our address space was hijacked. i did the arin.net roa entries, and BAM-O... moments later, all my routes are validated and the erroneous hijacked routes are gone!
love it
had a similar experience at my previous employer: https://www.fastly.com/blog/war-story-rpki-is-working-as-intended What used to be a large outage now ends up being no big deal Kind regards, Job
Thanks y’all. It’s interesting that routing works without RPKI. And if I put in my RIR-based ROA’s, it will invalidate any rouge advertisements…and now validate mine. Someone previously mentioned that if a bad actor tries to advertise a prefix with my AS as the origin (first “last” AS in the path list) that it could maybe circumvent RPKI…? I wouldn’t think it would be the easy. Or should I say I really hope it wouldn’t be that easy. Aaron
On May 17, 2025, at 10:57 PM, Job Snijders <job@sobornost.net> wrote:
On Thu, May 15, 2025 at 11:26:11AM -0500, Aaron Gould via NANOG wrote:
ok ok, now I understand and am a believer!
some of our address space was hijacked. i did the arin.net roa entries, and BAM-O... moments later, all my routes are validated and the erroneous hijacked routes are gone!
love it
had a similar experience at my previous employer: https://www.fastly.com/blog/war-story-rpki-is-working-as-intended
What used to be a large outage now ends up being no big deal
Kind regards,
Job
participants (8)
-
Aaron Gould -
Aaron1
-
Elmar K. Bins -
Eric C. Miller -
Job Snijders -
Laszlo H -
Randy Bush -
Tim Burke