Understanding impact of RPKI and ROA on existing advertisements
Hello, I am new to RPKI/ROA and still learning about RPKI. From all my reading on ARIN's documents I am not able to answer some of my questions. We have a public ARIN block and advertise smaller subnets from that to our ISP's. We do not have any RPKI configs. We need to setup ROA's to take another subnet from the ARIN block to AWS. Reading ARIN's docs, it seems I need to get setup on their Hosted RPKI service after which I can configure ROA's for the networks I am taking to AWS. My question is, will this impact my existing advertisements to my ISP's. The current advertisements do not have ROA's. Will having RPKI for my ARIN network, without ROA's for the existing advertisements impact me? Thanks for your help. Ref: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html https://www.arin.net/resources/manage/rpki/roa_request/ https://www.arin.net/resources/manage/rpki/hosted/
You may want to set this up yourself anyways. In the effort of making things work, your upstream ISP may have had to setup these records on your behalf. If not now, they may in the future. Having duplicate entries can cause unexpected results. Kevin Burke 802-540-0979 Burlington Telecom 200 Church St, Burlington, VT From: NANOG <nanog-bounces+kburke=burlingtontelecom.com@nanog.org> On Behalf Of Samuel Jackson Sent: Friday, October 28, 2022 11:00 AM To: nanog@nanog.org Subject: Understanding impact of RPKI and ROA on existing advertisements WARNING!! This message originated from an External Source. Please use proper judgment and caution when opening attachments, clicking links, or responding to this email. Hello, I am new to RPKI/ROA and still learning about RPKI. From all my reading on ARIN's documents I am not able to answer some of my questions. We have a public ARIN block and advertise smaller subnets from that to our ISP's. We do not have any RPKI configs. We need to setup ROA's to take another subnet from the ARIN block to AWS. Reading ARIN's docs, it seems I need to get setup on their Hosted RPKI service after which I can configure ROA's for the networks I am taking to AWS. My question is, will this impact my existing advertisements to my ISP's. The current advertisements do not have ROA's. Will having RPKI for my ARIN network, without ROA's for the existing advertisements impact me? Thanks for your help. Ref: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html https://www.arin.net/resources/manage/rpki/roa_request/ https://www.arin.net/resources/manage/rpki/hosted/
Creating ROAs for *all* the announcements that are done with your prefixes, both on your own AS and the ones announced by AWS, is probably the best way forward from both a routing security and ease-of-management perspective. -Alex
On 28 Oct 2022, at 17:00, Samuel Jackson <bobin.public@gmail.com> wrote:
Hello, I am new to RPKI/ROA and still learning about RPKI. From all my reading on ARIN's documents I am not able to answer some of my questions. We have a public ARIN block and advertise smaller subnets from that to our ISP's. We do not have any RPKI configs. We need to setup ROA's to take another subnet from the ARIN block to AWS. Reading ARIN's docs, it seems I need to get setup on their Hosted RPKI service after which I can configure ROA's for the networks I am taking to AWS.
My question is, will this impact my existing advertisements to my ISP's. The current advertisements do not have ROA's. Will having RPKI for my ARIN network, without ROA's for the existing advertisements impact me?
Thanks for your help.
Ref: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html https://www.arin.net/resources/manage/rpki/roa_request/ https://www.arin.net/resources/manage/rpki/hosted/
In general, you want to create suitable ROAs for the most specific routes that will be advertised first. Suppose you have a /20 from ARIN. You plan to take a /24 from that /20 to AWS. From what you've said, all you need is a ROA for the /24 you're taking to AWS, saying it can be originated by whatever ASN will be originating it at AWS. One danger with RPKI, is shooting yourself (or customers) in the foot by creating too general a ROA. i.e. Suppose you have an ARIN /20. You have a multihomed customer to whom you've assigned a /24 from your /20. You create a ROA for the /20 saying your ASN is authorized to originate your /20. Now that customer /24 has become an RPKI-invalid, and the customer may find that their other provider is filtering their /24 advertisement. On Tue, 1 Nov 2022, Alex Band wrote:
Creating ROAs for *all* the announcements that are done with your prefixes, both on your own AS and the ones announced by AWS, is probably the best way forward from both a routing security and ease-of-management perspective.
-Alex
On 28 Oct 2022, at 17:00, Samuel Jackson <bobin.public@gmail.com> wrote:
Hello, I am new to RPKI/ROA and still learning about RPKI. From all my reading on ARIN's documents I am not able to answer some of my questions. We have a public ARIN block and advertise smaller subnets from that to our ISP's. We do not have any RPKI configs. We need to setup ROA's to take another subnet from the ARIN block to AWS. Reading ARIN's docs, it seems I need to get setup on their Hosted RPKI service after which I can configure ROA's for the networks I am taking to AWS.
My question is, will this impact my existing advertisements to my ISP's. The current advertisements do not have ROA's. Will having RPKI for my ARIN network, without ROA's for the existing advertisements impact me?
Thanks for your help.
Ref: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html https://www.arin.net/resources/manage/rpki/roa_request/ https://www.arin.net/resources/manage/rpki/hosted/
---------------------------------------------------------------------- Jon Lewis, MCP :) | I route StackPath, Sr. Neteng | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Tue, Nov 01, 2022 at 12:01:46PM -0400, Jon Lewis:
One danger with RPKI, is shooting yourself (or customers) in the foot by creating too general a ROA. i.e. Suppose you have an ARIN /20. You have a multihomed customer to whom you've assigned a /24 from your /20. You create a ROA for the /20 saying your ASN is authorized to originate your /20. Now that customer /24 has become an RPKI-invalid, and the customer may find that their other provider is filtering their /24 advertisement.
ie: you must also create roa(s) for your bgp customer's more specific(s) of your aggregate.
Thanks everyone for your inputs. So bottomline setup RPKI and setup ROA's for all our subnets being advertised. Much of this is legacy and has too many unknowns, being handed down networks without documentation also does not help. Thanks, Sam On Tue, Nov 1, 2022 at 9:07 AM heasley <heas@shrubbery.net> wrote:
Tue, Nov 01, 2022 at 12:01:46PM -0400, Jon Lewis:
One danger with RPKI, is shooting yourself (or customers) in the foot by creating too general a ROA. i.e. Suppose you have an ARIN /20. You have a multihomed customer to whom you've assigned a /24 from your /20. You create a ROA for the /20 saying your ASN is authorized to originate your /20. Now that customer /24 has become an RPKI-invalid, and the customer may find that their other provider is filtering their /24 advertisement.
ie: you must also create roa(s) for your bgp customer's more specific(s) of your aggregate.
It's very important to specify the /24 inside the /23 for example so as you said "for all our subnets being advertised". On Tue, Nov 1, 2022 at 5:01 PM Randy Bush <randy@psg.com> wrote:
Thanks everyone for your inputs. So bottomline setup RPKI and setup ROA's for all our subnets being advertised.
if the BGP advertisements are correct, then mirror them in ROAs. most, if not all, CA UIs make that easy.
randy
If the route can exist on a FIB, can exist a ROA to that. So, there is no reason to no create the ROAs. Em ter., 1 de nov. de 2022 às 11:12, Samuel Jackson <bobin.public@gmail.com> escreveu:
Hello, I am new to RPKI/ROA and still learning about RPKI. From all my reading on ARIN's documents I am not able to answer some of my questions. We have a public ARIN block and advertise smaller subnets from that to our ISP's. We do not have any RPKI configs. We need to setup ROA's to take another subnet from the ARIN block to AWS. Reading ARIN's docs, it seems I need to get setup on their Hosted RPKI service after which I can configure ROA's for the networks I am taking to AWS.
My question is, will this impact my existing advertisements to my ISP's. The current advertisements do not have ROA's. Will having RPKI for my ARIN network, without ROA's for the existing advertisements impact me?
Thanks for your help.
Ref: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html https://www.arin.net/resources/manage/rpki/roa_request/ https://www.arin.net/resources/manage/rpki/hosted/
-- Douglas Fernando Fischer Engº de Controle e Automação
RPKI/ROA is a way to cryptographically prove what someone needs to prepend if they want to hijack your addresses. Owen
On Oct 28, 2022, at 08:00, Samuel Jackson <bobin.public@gmail.com> wrote:
Hello, I am new to RPKI/ROA and still learning about RPKI. From all my reading on ARIN's documents I am not able to answer some of my questions. We have a public ARIN block and advertise smaller subnets from that to our ISP's. We do not have any RPKI configs. We need to setup ROA's to take another subnet from the ARIN block to AWS. Reading ARIN's docs, it seems I need to get setup on their Hosted RPKI service after which I can configure ROA's for the networks I am taking to AWS.
My question is, will this impact my existing advertisements to my ISP's. The current advertisements do not have ROA's. Will having RPKI for my ARIN network, without ROA's for the existing advertisements impact me?
Thanks for your help.
Ref: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html https://www.arin.net/resources/manage/rpki/roa_request/ https://www.arin.net/resources/manage/rpki/hosted/
Tue, Nov 01, 2022 at 06:24:50PM -0700, Owen DeLong via NANOG:
RPKI/ROA is a way to cryptographically prove what someone needs to prepend if they want to hijack your addresses.
Operators should not be deterred by that comment. Owen seems to be ignoring what it does achieve and that this is part of a larger system that is still emerging. See IETF sidrops wg. In the interim, do your part to improve DFZ hygiene.
Owen
On Oct 28, 2022, at 08:00, Samuel Jackson <bobin.public@gmail.com> wrote:
Hello, I am new to RPKI/ROA and still learning about RPKI. From all my reading on ARIN's documents I am not able to answer some of my questions. We have a public ARIN block and advertise smaller subnets from that to our ISP's. We do not have any RPKI configs. We need to setup ROA's to take another subnet from the ARIN block to AWS. Reading ARIN's docs, it seems I need to get setup on their Hosted RPKI service after which I can configure ROA's for the networks I am taking to AWS.
My question is, will this impact my existing advertisements to my ISP's. The current advertisements do not have ROA's. Will having RPKI for my ARIN network, without ROA's for the existing advertisements impact me?
Thanks for your help.
Ref: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html https://www.arin.net/resources/manage/rpki/roa_request/ https://www.arin.net/resources/manage/rpki/hosted/
Oh, I’m not ignoring it, I’m just rather underwhelmed by it and given how long it took SIDRWG to get RPKI this far, not optimistic about any of the rest of the system getting deployed prior to IPv6 ubiquity or the end of my time on this planet, or even before we manage to destroy the planet, whichever comes first. Owen
On Nov 2, 2022, at 08:30, heasley <heas@shrubbery.net> wrote:
Tue, Nov 01, 2022 at 06:24:50PM -0700, Owen DeLong via NANOG:
RPKI/ROA is a way to cryptographically prove what someone needs to prepend if they want to hijack your addresses.
Operators should not be deterred by that comment. Owen seems to be ignoring what it does achieve and that this is part of a larger system that is still emerging. See IETF sidrops wg. In the interim, do your part to improve DFZ hygiene.
Owen
On Oct 28, 2022, at 08:00, Samuel Jackson <bobin.public@gmail.com> wrote:
Hello, I am new to RPKI/ROA and still learning about RPKI. From all my reading on ARIN's documents I am not able to answer some of my questions. We have a public ARIN block and advertise smaller subnets from that to our ISP's. We do not have any RPKI configs. We need to setup ROA's to take another subnet from the ARIN block to AWS. Reading ARIN's docs, it seems I need to get setup on their Hosted RPKI service after which I can configure ROA's for the networks I am taking to AWS.
My question is, will this impact my existing advertisements to my ISP's. The current advertisements do not have ROA's. Will having RPKI for my ARIN network, without ROA's for the existing advertisements impact me?
Thanks for your help.
Ref: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html https://www.arin.net/resources/manage/rpki/roa_request/ https://www.arin.net/resources/manage/rpki/hosted/
I dont think ive every agreed with Owen this much, maybe this is the first sign the wording is ending further proving his statement :) On Wed, Nov 2, 2022 at 10:30 PM Owen DeLong via NANOG <nanog@nanog.org> wrote:
Oh, I’m not ignoring it, I’m just rather underwhelmed by it and given how long it took SIDRWG to get RPKI this far, not optimistic about any of the rest of the system getting deployed prior to IPv6 ubiquity or the end of my time on this planet, or even before we manage to destroy the planet, whichever comes first.
Owen
On Nov 2, 2022, at 08:30, heasley <heas@shrubbery.net> wrote:
RPKI/ROA is a way to cryptographically prove what someone needs to
Tue, Nov 01, 2022 at 06:24:50PM -0700, Owen DeLong via NANOG: prepend if they want to hijack your addresses.
Operators should not be deterred by that comment. Owen seems to be ignoring what it does achieve and that this is part of a larger system that is still emerging. See IETF sidrops wg. In the interim, do your part to improve DFZ hygiene.
Owen
On Oct 28, 2022, at 08:00, Samuel Jackson <bobin.public@gmail.com> wrote:
Hello, I am new to RPKI/ROA and still learning about RPKI. From all my reading on ARIN's documents I am not able to answer some of my questions. We have a public ARIN block and advertise smaller subnets from that to our ISP's. We do not have any RPKI configs. We need to setup ROA's to take another subnet from the ARIN block to AWS. Reading ARIN's docs, it seems I need to get setup on their Hosted RPKI service after which I can configure ROA's for the networks I am taking to AWS.
My question is, will this impact my existing advertisements to my ISP's. The current advertisements do not have ROA's. Will having RPKI for my ARIN network, without ROA's for the existing advertisements impact me?
Thanks for your help.
Ref: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html https://www.arin.net/resources/manage/rpki/roa_request/ https://www.arin.net/resources/manage/rpki/hosted/
participants (10)
-
Alex Band
-
Douglas Fischer
-
heasley
-
jim deleskie
-
Jon Lewis
-
Josh Luthman
-
Kevin Burke
-
Owen DeLong
-
Randy Bush
-
Samuel Jackson