[lacnog] Reaching out to LACNIC members about their RPKI INVALID and unreachable prefixes (will affect their ability to reach Cloudflare)

Roque Gagliano rgaglian en gmail.com
Jue Sep 20 04:40:16 BRT 2018


Personally, I think increasing awareness is always possitibe. However, my
prefer path would be to include these sort of reports in the already
existing inter-domain reporting systems so operator do not need to
subscribe to "yet another report". I know BGPMON does provide RPKI analysis
but I do not have a view on the rest of th popular tools out there.

Particularly, it has been under debate for many years if RIR should have
some sort of "routing police" role and asking members with an official
communication could generate some noise at the policy layer.

Maybe if you could make sure that all these existing reporting systems do
include alerts on RPKI invalid announcements.


Disclaim: I now work at Cisco who now manages BGPMon.

On Thu, Sep 20, 2018 at 9:27 AM nusenu <nusenu-lists en riseup.net> wrote:

> Hi,
> I'm currently engaging with RIRs globally about rising awareness
> for broken ROAs that result in unreachable IP prefixes.
> As part of that I also reached out to LACNIC last week (see email bellow),
> but since I haven't heard
> back yet and LACNIC30 is just around the corner (next week) it is probably
> a good time to reach
> out to the broader community in the region.
> The problem:
> Misconfigured RPKI ROAs result in unreachable prefixes
> Solution:
> Update RPKI ROAs so they match your BGP announcements
> More information can be found on this page:
> https://medium.com/@nusenu/towards-cleaning-up-rpki-invalids-d69b03ab8a8c
> My question to LACNIC (since not every affected LACNIC member will see
> this email):
> Would you be open to reach out to your affected members to inform them
> about
> their affected unreachable IP prefixes?
> For Operators:
> To see if you are affected you can search the following CSV file for your
> prefixes:
> https://gist.github.com/nusenu/74e03bdbe9a2201dfd086f8fe9301300#file-2018-09-14-unreachable_invalids_prefix-origin-pairs-txt
> (this is a snapshot from last week, if you changed your ROAs since then
> consider it outdated)
> Coincidentally Cloudflare announced yesterday (as already noted on this
> mailing list)
> that they will enforce RPKI route origin validation, which makes this issue
> even more important since affected prefixes will no longer be able to
> communicate
> with Cloudflare after the end of the year [1]
> (or any other network that performs route origin validation _now_).
> It would be great if this issue could be also mentioned on next week's
> RPKI tutorials held at LACNIC30 [2].
> Looking forward to hearing your feedback.
> kind regards,
> nusenu
> nusenu wrote (to comunicaciones en lacnic.net on 2018-09-15):
> > Dear LACNIC,
> >
> > I care about routing security (RPKI) and would like to encourage RIRs to
> > contact their members about their RPKI ROAs that result in many INVALIDs
> prefixes.
> >
> > Would you be open to reach out to your affected members to inform them
> about
> > their affected IP prefixes?
> >
> > some more background:
> >
> https://medium.com/@nusenu/towards-cleaning-up-rpki-invalids-d69b03ab8a8c
> >
> > Looking forward to your feedback!
> > nusenu
> [1] https://blog.cloudflare.com/rpki-details/
> https://twitter.com/Jerome_UZ/status/1042433414371205120
> [2] www.lacnic.net/3135/46/evento/tutoriales#bgp-rpki
> --
> https://twitter.com/nusenu_
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog


At least I did something
Don Draper - Mad Men
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/lacnog/attachments/20180920/30f9a0bb/attachment-0001.html>

Más información sobre la lista de distribución LACNOG