[lacnog] Reaching out to LACNIC members about their RPKI INVALID and unreachable prefixes (will affect their ability to reach Cloudflare)
nusenu
nusenu-lists en riseup.net
Jue Sep 20 04:26:00 BRT 2018
Hi,
I'm currently engaging with RIRs globally about rising awareness
for broken ROAs that result in unreachable IP prefixes.
As part of that I also reached out to LACNIC last week (see email bellow), but since I haven't heard
back yet and LACNIC30 is just around the corner (next week) it is probably a good time to reach
out to the broader community in the region.
The problem:
Misconfigured RPKI ROAs result in unreachable prefixes
Solution:
Update RPKI ROAs so they match your BGP announcements
More information can be found on this page:
https://medium.com/@nusenu/towards-cleaning-up-rpki-invalids-d69b03ab8a8c
My question to LACNIC (since not every affected LACNIC member will see this email):
Would you be open to reach out to your affected members to inform them about
their affected unreachable IP prefixes?
For Operators:
To see if you are affected you can search the following CSV file for your prefixes:
https://gist.github.com/nusenu/74e03bdbe9a2201dfd086f8fe9301300#file-2018-09-14-unreachable_invalids_prefix-origin-pairs-txt
(this is a snapshot from last week, if you changed your ROAs since then consider it outdated)
Coincidentally Cloudflare announced yesterday (as already noted on this mailing list)
that they will enforce RPKI route origin validation, which makes this issue
even more important since affected prefixes will no longer be able to communicate
with Cloudflare after the end of the year [1]
(or any other network that performs route origin validation _now_).
It would be great if this issue could be also mentioned on next week's RPKI tutorials held at LACNIC30 [2].
Looking forward to hearing your feedback.
kind regards,
nusenu
nusenu wrote (to comunicaciones en lacnic.net on 2018-09-15):
> Dear LACNIC,
>
> I care about routing security (RPKI) and would like to encourage RIRs to
> contact their members about their RPKI ROAs that result in many INVALIDs prefixes.
>
> Would you be open to reach out to your affected members to inform them about
> their affected IP prefixes?
>
> some more background:
> https://medium.com/@nusenu/towards-cleaning-up-rpki-invalids-d69b03ab8a8c
>
> Looking forward to your feedback!
> nusenu
[1] https://blog.cloudflare.com/rpki-details/
https://twitter.com/Jerome_UZ/status/1042433414371205120
[2] www.lacnic.net/3135/46/evento/tutoriales#bgp-rpki
--
https://twitter.com/nusenu_
------------ próxima parte ------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://mail.lacnic.net/pipermail/lacnog/attachments/20180920/fd0a21aa/attachment.sig>
Más información sobre la lista de distribución LACNOG