Dear Eric, If you don't mind me showering you with some study resources... here we go! On Fri, Jun 07, 2019 at 10:58:48AM -0400, Eric Dugas wrote:
I was wondering if there was a list of networks that enforce RPKI validation and dropping invalids.
The last list that was compiled is available here https://blog.benjojo.co.uk/post/state-of-rpki-in-2018 I expect that by now the list has doubled. We received many anecdotal reports since then from people having deployed Origin Validation in their networks. Perhaps if we ask Ben Cartwright-Cox nice enough he can run a new report for Q2 2019 :-)
The shortlist I know is: AT&T (since February of this year)
Which is awesome! AT&T's deployment has definitely lowered the barrier to deployment for others.
and of course NTT because of Job
Point of clarificartion: NTT is not there yet, but we are on our way. NTT does not yet apply RFC 6811 Origin Validation on its EBGP session and does not yet reject RPKI Invalid BGP announcements. However, NTT does use RPKI data in its filter generation process, more information on that topic can be found here: https://blog.apnic.net/2018/08/01/treating-rpki-roas-as-irr-route6-objects/ The next step will be to use RPKI data to ignore conflicting IRR data, this way the IRR will be harder to abuse in facilitating misconfigurations or hijacks. An example of that type of use of RPKI data can be found here https://ripe78.ripe.net/archives/video/119/ slides: https://ripe78.ripe.net/presentations/137-db_wg_ripe78_prop2018-06_snijders.... After that, we'll also use RPKI data to strengthen our EBGP filters in a similar way to how AT&T does it. I hope that we'll be done Q1 2020 - but don't hold me to that date! We move at telco speed sometimes ;-) An overview of where the industry was and where we're heading can be found in "Routing Security Roadmap" presentation at https://nlnog.net/nlnog-day-2018/ Finally - here is a quick and easy browser based tool to attempt to figure out if the network you are connected to performs RPKI based BGP Origin Validation (and is default-free) https://ripe.net/s/rpki-test Kind regards, Job