question about enabling RPKI using Hosted mode
Hello, We're thinking of enabling BGP ROA, because more and more ISPs are using strict RPKI mode. Does enabling Hosted Mode (where it doesn't requires any additional configuration on client end) on RPKI could for some reason could cause a traffic loss ? The only disasterious scenario i could think of, is if we would enable ROA with incorrect sub prefixes, maximum prefix length. Am i Right ? Thanks
Dear Edvinas, On Mon, Oct 25, 2021 at 11:49:09PM +0300, Edvinas Kairys wrote:
We're thinking of enabling BGP ROA, because more and more ISPs are using strict RPKI mode.
Does enabling Hosted Mode (where it doesn't requires any additional configuration on client end) on RPKI could for some reason could cause a traffic loss ?
The only disasterious scenario i could think of, is if we would enable ROA with incorrect sub prefixes, maximum prefix length. Am i Right ?
I think you correctly identified most of the potential pitfalls. Another pitfall might be when a typo in the Origin AS value slips into the RPKI ROA. For example, I originate 2001:67c:208c::/48 in the DFZ from AS 15562. Should I'd accidentally modify the covering ROA to only permit AS 15563, the planet's connectivity towards 2001:67c:208c::/48 would become spotty. So... - BEFORE - creating RPKI ROAs, I recommend setting up a BGP/RPKI monitoring tool. NTT's excellent BGPAlerter might be useful in this context: https://github.com/nttgin/BGPalerter Don't deploy things without monitoring! :-) Kind regards, Job
thanks, will keep in mind. Also, about ROA expirations is it possible to configure an automatic ROA extension after it's expires ? On Tue, Oct 26, 2021 at 12:35 AM Job Snijders <job@fastly.com> wrote:
Dear Edvinas,
On Mon, Oct 25, 2021 at 11:49:09PM +0300, Edvinas Kairys wrote:
We're thinking of enabling BGP ROA, because more and more ISPs are using strict RPKI mode.
Does enabling Hosted Mode (where it doesn't requires any additional configuration on client end) on RPKI could for some reason could cause a traffic loss ?
The only disasterious scenario i could think of, is if we would enable ROA with incorrect sub prefixes, maximum prefix length. Am i Right ?
I think you correctly identified most of the potential pitfalls. Another pitfall might be when a typo in the Origin AS value slips into the RPKI ROA.
For example, I originate 2001:67c:208c::/48 in the DFZ from AS 15562. Should I'd accidentally modify the covering ROA to only permit AS 15563, the planet's connectivity towards 2001:67c:208c::/48 would become spotty.
So... - BEFORE - creating RPKI ROAs, I recommend setting up a BGP/RPKI monitoring tool. NTT's excellent BGPAlerter might be useful in this context: https://github.com/nttgin/BGPalerter
Don't deploy things without monitoring! :-)
Kind regards,
Job
Thus spake Edvinas Kairys (edvinas.email@gmail.com) on Tue, Oct 26, 2021 at 10:11:14AM +0300:
Also, about ROA expirations is it possible to configure an automatic ROA extension after it's expires ?
Well, you probably hit one of the next biggest operational issues, so congrats ;-). If you are in the ARIN region you might want to track the process for ACSP Suggestion 2021.15 https://www.arin.net/participate/community/acsp/suggestions/2021/2021-15/ If you are in another regions you can see the differences here: https://rpki.readthedocs.io/en/latest/rpki/implementation-models.html?highli... Dale
On Tue, Oct 26, 2021 at 12:35 AM Job Snijders <job@fastly.com> wrote:
Dear Edvinas,
On Mon, Oct 25, 2021 at 11:49:09PM +0300, Edvinas Kairys wrote:
We're thinking of enabling BGP ROA, because more and more ISPs are using strict RPKI mode.
Does enabling Hosted Mode (where it doesn't requires any additional configuration on client end) on RPKI could for some reason could cause a traffic loss ?
The only disasterious scenario i could think of, is if we would enable ROA with incorrect sub prefixes, maximum prefix length. Am i Right ?
I think you correctly identified most of the potential pitfalls. Another pitfall might be when a typo in the Origin AS value slips into the RPKI ROA.
For example, I originate 2001:67c:208c::/48 in the DFZ from AS 15562. Should I'd accidentally modify the covering ROA to only permit AS 15563, the planet's connectivity towards 2001:67c:208c::/48 would become spotty.
So... - BEFORE - creating RPKI ROAs, I recommend setting up a BGP/RPKI monitoring tool. NTT's excellent BGPAlerter might be useful in this context: https://github.com/nttgin/BGPalerter
Don't deploy things without monitoring! :-)
Kind regards,
Job
Thanks, i'm happy that my RIR is RIPE. I hope other RIRs will make auto-renew as well. On Tue, Oct 26, 2021 at 4:30 PM Dale W. Carder <dwcarder@es.net> wrote:
Thus spake Edvinas Kairys (edvinas.email@gmail.com) on Tue, Oct 26, 2021 at 10:11:14AM +0300:
Also, about ROA expirations is it possible to configure an automatic ROA extension after it's expires ?
Well, you probably hit one of the next biggest operational issues, so congrats ;-).
If you are in the ARIN region you might want to track the process for ACSP Suggestion 2021.15
https://www.arin.net/participate/community/acsp/suggestions/2021/2021-15/
If you are in another regions you can see the differences here:
https://rpki.readthedocs.io/en/latest/rpki/implementation-models.html?highli...
Dale
On Tue, Oct 26, 2021 at 12:35 AM Job Snijders <job@fastly.com> wrote:
Dear Edvinas,
On Mon, Oct 25, 2021 at 11:49:09PM +0300, Edvinas Kairys wrote:
We're thinking of enabling BGP ROA, because more and more ISPs are using strict RPKI mode.
Does enabling Hosted Mode (where it doesn't requires any additional configuration on client end) on RPKI could for some reason could cause a traffic loss ?
The only disasterious scenario i could think of, is if we would enable ROA with incorrect sub prefixes, maximum prefix length. Am i Right ?
I think you correctly identified most of the potential pitfalls. Another pitfall might be when a typo in the Origin AS value slips into the RPKI ROA.
For example, I originate 2001:67c:208c::/48 in the DFZ from AS 15562. Should I'd accidentally modify the covering ROA to only permit AS 15563, the planet's connectivity towards 2001:67c:208c::/48 would become spotty.
So... - BEFORE - creating RPKI ROAs, I recommend setting up a BGP/RPKI monitoring tool. NTT's excellent BGPAlerter might be useful in this context: https://github.com/nttgin/BGPalerter
Don't deploy things without monitoring! :-)
Kind regards,
Job
participants (3)
-
Dale W. Carder -
Edvinas Kairys -
Job Snijders