[lacnog] NTT/AS2914 enabled RPKI OV 'invalid = reject' EBGP policies
DIEGO ZORRILLA (diefierr)
diefierr en cisco.com
Dom Mar 29 14:19:38 GMT+3 2020
Hey Job, as always great work.
Has been couple of days since you start the filtering.
Can you give us some feedback about what validator you using?
Can you give us some feedback about how many prefixes been filter? Any report you know about?
And final question, do you see any change on the BGP updates status?
Regards
Diego
On 3/25/20, 7:38 PM, "LACNOG on behalf of Job Snijders" <lacnog-bounces en lacnic.net on behalf of job en ntt.net> wrote:
Dear LACNOG,
Exciting news! Today NTT's Global IP Network (AS 2914) enabled RPKI
based BGP Origin Validation on virtually all EBGP sessions, both
customer and peering edge. This change positively impacts the Internet
routing system.
The use of RPKI technology is a critical component in our efforts to
improve Internet routing stability and reduce the negative impact of
misconfigurations or malicious attacks. RPKI Invalid route announcements
are now rejected in NTT EBGP ingress policies. A nice side effect:
peerlock AS_PATH filters are incredibly effective when combined with
RPKI OV.
For NTT, this is the result of a multiyear project, which included
outreach, education, collaboration with industry partners, and
production of open source software shared among colleagues in the
industry.
Shout out to Louis & team (Cloudflare) for the open source GoRTR
software and the OpenBSD project for rpki-client(8).
I hope some take this news as encouragement to consider RPKI OV
"invalid == reject"-policies as safe to deploy in their own BGP
environments too. :-)
If you have questions, feel free to reach out to me directly.
Kind regards,
Job
_______________________________________________
LACNOG mailing list
LACNOG en lacnic.net
https://mail.lacnic.net/mailman/listinfo/lacnog
Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog
Más información sobre la lista de distribución LACNOG