Hi Job, All, It is definitely great to see progress on the deployment side! I realize that there may be some gaps in the network operator toolchain, and this may be something i'd like to contribute to. For network operators to better understand the impact of BGP hijacks in terms of revenue or volumes of traffic that went missing, it makes perfect sense if network monitoring tools are aware of which BGP announcements are invalid or not. I will look into adding support for the RTR protocol (RFC 6810, RFC 8210) to pmacct ( https://github.com/pmacct/pmacct , http://pmacct.net/ ) and expose the validation state through an extra field (when collecting routing tables) and primitive (when accounting traffic and correlating it with BGP data). Updating the telemetry tools to be fully aware of RPKI validation states should come in handy! Paolo On Thu, Jul 12, 2018 at 05:50:29PM +0000, Job Snijders wrote:
Hi all,
I wanted to share with you that a ton of activity is taking place in the Dutch networker community to deploy RPKI based BGP Origin Validation. The mantra is "invalid == reject" on all EBGP sessions.
What's of note here is that we're now seeing the first commercial ISPs doing Origin Validation. This is a significant step forward compared to what we observed so far (it seemed OV was mostly limited to academic institutions & toy networks). But six months ago Amsio (https://www.amsio.com/en/) made the jump, and today Fusix deployed (https://fusix.nl/deploying-rpki/).
We've also seen an uptake of Origin Validation at Internet Exchange route servers: AMS-IX and FranceIX have already deployed. I've read that RPKI OV is under consideration at a number of other exchanges.
Other cool news is that Cloudflare launched a Certificate Transparency initiative to help keep everyone honest. Announcement at: https://twitter.com/grittygrease/status/1017224762542587907 Certificate Transparency is a fascinating tool, really a necessity to build confidence in any PKI systems.
Anyone here working to deploy RPKI based Origin Validation in their network and reject invalid announcements? Anything of note to share?
Kind regards,
Job