Job,
Congratulations to NTT, AT&T, and others in our community who have deployed validation on their network edge. What is really exciting is all the activity in this and other operator regions that has come together to promote securing the routing system by combining multiple strategies. This shift to leadership by example is a big shift from just using the mailing list for public shaming anti-social behavior. (Public shaming should still be used strategically :-).
While this is an important step, the big win that I see is the larger project promoting securing the routing system by combining multiple strategies. There is significant power in combining multiple strategies and engaging other organizations to develop their own multi-pronged approach. That evangelizing and investing in "leadership by example" has really accelerated this project in ways that individual engineers struggled to do so before and as a community where we remained stuck in the past. By raising the industry standard for routing security, implementation of these measures is no longer optional, and that has been done without government interference. NTT has invested in bringing this whole package to the NANOG region -- developing tools, working with other networks and even competitors, and evangelization of routing security.
I am speaking on my own behalf, but as NANOG has started using social media and other online tools to promote the knowledge of the community, I will talk to the PC and staff about curating routing security materials for an educational playlist. If there is any chance you could resend a link to some of your materials, I think that would be beneficial (IRR tools, rpki validation and planning tools, peerlock implementation)? I also encourage any operator with a few spare minutes to poke around
manrs.org/isps .
Thanks,
Sean
Em qui., 26 de mar. de 2020 às 08:32, Job Snijders <
job@ntt.net> escreveu:
Dear group,
Exciting news! Today NTT's Global IP Network (AS 2914) enabled RPKI
based BGP Origin Validation on virtually all EBGP sessions, both
customer and peering edge. This change positively impacts the Internet
routing system.
The use of RPKI technology is a critical component in our efforts to
improve Internet routing stability and reduce the negative impact of
misconfigurations or malicious attacks. RPKI Invalid route announcements
are now rejected in NTT EBGP ingress policies. A nice side effect:
peerlock AS_PATH filters are incredibly effective when combined with
RPKI OV.
For NTT, this is the result of a multiyear project, which included
outreach, education, collaboration with industry partners, and
production of open source software shared among colleagues in the
industry.
Shout out to Louis & team (Cloudflare) for the open source GoRTR
software and the OpenBSD project for rpki-client(8).
I hope some take this news as encouragement to consider RPKI OV
"invalid == reject"-policies as safe to deploy in their own BGP
environments too. :-)
If you have questions, feel free to reach out to me directly or the
NTT NOC at <noc@ntt.net>.
Kind regards,
Job