Dear Francois, On Thu, Jul 04, 2019 at 03:22:23PM +0000, Francois Lecavalier wrote:
Following that Verizon debacle I got onboard with ROV, after a couple research I stopped my choice on the ....drum roll.... CloudFlare GoRTR (https://github.com/cloudflare/gortr). If you trust them enough they provide an updated JSON every 15 minutes of the global RIR aggregate.
At this point in time I think the ideal deployment model is to perform the validation within your administrative domain and run your own validators. You can combine routinator with gortr, or use cloudflare's octorpki software https://github.com/cloudflare/cfrpki
I'll see down the road if we'll fetch them ourselves but at least it got us up and running in less than an hour. It was also easy for us to deploy as the routers and the servers are on the same PoP directly connected, so we don't need the whole encryption recipe they provide for mass distribution.
yeah, that is true!
But I also have a question for all the ROA folks out there. So far we are not taking any action other than lowering the local-pref - we want to make sure this is stable before we start denying prefixes. So the question, is it safe as of this date to : 1.Accept valid, 2. Accept unknown, 3. Reject invalid? Have any large network who implemented it dealt with unreachable destinations? I'm wondering as I haven't found any blog mentioning anything in this regard and ClouFlare docs only shows example for valid and invalid, but nothing for unknown.
I believe at this point in time it is safe to accept valid and unknown (combined with an IRR filter), and reject RPKI invalid BGP announcements at your EBGP borders. Large examples of other organisations who already are rejecting invalid announcements are AT&T, Nordunet, DE-CIX, YYCIX, XS4ALL, MSK-IX, INEX, France-IX, Seacomm, Workonline, KPN International, and hundreds of others. You can run an analysis yourself to see how traffic would be impacted in your network using pmacct or Kentik, see this post for more info: https://mailman.nanog.org/pipermail/nanog/2019-February/099522.html
My assumption is that 1.Accept valid, 2. Accept unknown, 3. Reject invalid shouldn't break anything.
Correct! Let us know how it went :-) Kind regards, Job