[NLNOG] deploying RPKI based Origin Validation

Job Snijders job at ntt.net
Thu Jul 12 21:58:40 CEST 2018


Volgens mij gaat Nederland wereldleider routing security worden!

Hoe/waar zijn jullie met implementaties van RPKI Origin Validation?
Hebben mensen hulp nodig?

Groeten,

Job

----- Forwarded message from Job Snijders <job at ntt.net> -----

Date: Thu, 12 Jul 2018 17:50:29 +0000
From: Job Snijders <job at ntt.net>
To: nanog at nanog.org
Subject: deploying RPKI based Origin Validation

Hi all,

I wanted to share with you that a ton of activity is taking place in the
Dutch networker community to deploy RPKI based BGP Origin Validation.
The mantra is "invalid == reject" on all EBGP sessions.

What's of note here is that we're now seeing the first commercial ISPs
doing Origin Validation. This is a significant step forward compared to
what we observed so far (it seemed OV was mostly limited to academic
institutions & toy networks). But six months ago Amsio (https://www.amsio.com/en/)
made the jump, and today Fusix deployed (https://fusix.nl/deploying-rpki/).

We've also seen an uptake of Origin Validation at Internet Exchange
route servers: AMS-IX and FranceIX have already deployed. I've read that
RPKI OV is under consideration at a number of other exchanges.

Other cool news is that Cloudflare launched a Certificate Transparency
initiative to help keep everyone honest. Announcement at:
https://twitter.com/grittygrease/status/1017224762542587907
Certificate Transparency is a fascinating tool, really a necessity to
build confidence in any PKI systems.

Anyone here working to deploy RPKI based Origin Validation in their
network and reject invalid announcements? Anything of note to share?

Kind regards,

Job

----- End forwarded message -----


More information about the NLNOG mailing list