[lacnog] NTT/AS2914 enabled RPKI OV 'invalid = reject' EBGP policies

DIEGO ZORRILLA (diefierr) diefierr en cisco.com
Dom Mar 29 14:19:38 GMT+3 2020

Hey Job, as always great work. 
Has been couple of days since you start the filtering.
Can you give us some feedback about what validator you using?
Can you give us some feedback about how many prefixes been filter? Any report you know about?
And final question, do you see any change on the BGP updates status?


On 3/25/20, 7:38 PM, "LACNOG on behalf of Job Snijders" <lacnog-bounces en lacnic.net on behalf of job en ntt.net> wrote:

    Dear LACNOG,
    Exciting news! Today NTT's Global IP Network (AS 2914) enabled RPKI
    based BGP Origin Validation on virtually all EBGP sessions, both
    customer and peering edge. This change positively impacts the Internet
    routing system.
    The use of RPKI technology is a critical component in our efforts to
    improve Internet routing stability and reduce the negative impact of
    misconfigurations or malicious attacks. RPKI Invalid route announcements
    are now rejected in NTT EBGP ingress policies. A nice side effect:
    peerlock AS_PATH filters are incredibly effective when combined with
    RPKI OV.
    For NTT, this is the result of a multiyear project, which included
    outreach, education, collaboration with industry partners, and
    production of open source software shared among colleagues in the
    Shout out to Louis & team (Cloudflare) for the open source GoRTR
    software and the OpenBSD project for rpki-client(8).
    I hope some take this news as encouragement to consider RPKI OV
    "invalid == reject"-policies as safe to deploy in their own BGP
    environments too. :-)
    If you have questions, feel free to reach out to me directly.
    Kind regards,
    LACNOG mailing list
    LACNOG en lacnic.net
    Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog

Más información sobre la lista de distribución LACNOG