giovedì 5 marzo 2020

BGP RPKI: instructions for use (English Version)

As announced recently, “On March 25th, 2020, NTT GIN will deploy BGP routing policies which reject RPKI Invalid BGP route announcements on all AS 2914 EBGP sessions. This change will positively impact the Internet routing system.

NTT GIN will therefore join the “reject Invalids” club which has, among its members with dimensions comparable to NTT GIN, AT&T (AS 7018), Cloudflare (AS 13335), Cogent (AS 174), KPN (AS 286), PCCW (AS 3491), Tata (AS 6453), Telia (AS 1299). Many others are doing plans to join the club (see for instance this link).

Given the positive impact that the BGP RPKI architecture is having to improve Internet Routing Security, my friend Flavio Luciani, Chief Innovation Officer of NaMeX, and I (Tiziano Tofoni, a.k.a Admiral Tofonoto), have written in this blog three posts trying to shed some light on the theoretical and practical aspects.

To spread the BGP RPKI culture and stimulate more and more ISPs to implement it in their production networks, hoping to do something useful for our loyal readers, we have decided to combine the three posts in a single article, this time in English.

The final document can be downloaded at this link.

Have a nice reading and, should you need some advise to deploy BGP RPKI in your production network, please do not hesitate to get in touch.

Flavio and Tiziano

P.S. Special thanks to the NaMeX guys Maurizio Goretti (CEO), Francesco Ferreri (CTO) and Luca Davoli (CCO) for their support to the project and Nathalie Kunneke-Trenaman for reviewing the paper and helpful suggestions.


4 commenti:

  1. Thank you for this effort. Highly appreciate it. NIST (USA) has developed a security guidance document which includes recommendations for BGP security (RPKI, ROA, origin validation) amongst other topics. Some users may find it useful as an additional reference.
    “Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation”
    https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-189.pdf

    Sriram

    RispondiElimina
  2. This route-policy will drop ibgp routes if they don't have the RPKI extended community:
    route-policy RPKI-POLICY
    if validation-state is valid then
    set local-preference 200
    elseif validation-state is not-found then
    set local-preference 100
    else
    drop
    !
    It should be:
    route-policy RPKI-POLICY
    if validation-state is valid then
    set local-preference 200
    elseif validation-state is not-found then
    set local-preference 100
    elseif validation-state is invalid then
    drop
    else
    ! routes with no validation state come here
    ! ibgp or RPKI validation disabled
    pass
    drop
    !

    RispondiElimina
  3. IOS-XR BGP does not use RPKI validation-state in the BGP selection process by default. To enable this, you must configure "bestpath origin-as use validity".

    RispondiElimina
  4. As usual... very very useful and clear in all the parts the topic has been presented.

    Let's see in a few time how many ISPs will be using it!

    Thanks for this new "gem of wisdom"!

    RispondiElimina