[routing-wg] NTT/AS2914 enabled RPKI OV 'invalid = reject' EBGP policies

Congratulations, Job!  

You and NTT have been a voice for routing security and a source for useful tools and techniques for a very long time.  The routing infrastructure is the better for your support.

(And after this expression of gratitude, here’s the ask: when do we get to hear the lessons-learned?)

—Sandy

> On Mar 25, 2020, at 9:09 PM, Job Snijders <job at ntt.net> wrote:
> 
> Dear Routing WG,
> 
> Exciting news! Today NTT's Global IP Network (AS 2914) enabled RPKI
> based BGP Origin Validation on virtually all EBGP sessions, both
> customer and peering edge. This change positively impacts the Internet
> routing system.
> 
> The use of RPKI technology is a critical component in our efforts to
> improve Internet routing stability and reduce the negative impact of
> misconfigurations or malicious attacks. RPKI Invalid route announcements
> are now rejected in NTT EBGP ingress policies. A nice side effect:
> peerlock AS_PATH filters are incredibly effective when combined with
> RPKI OV.
> 
> For NTT, this is the result of a multiyear project, which included
> outreach, education, collaboration with industry partners, and
> production of open source software shared among colleagues in the
> industry.
> 
> Shout out to Louis & team (Cloudflare) for the open source GoRTR
> software and the OpenBSD project for rpki-client(8).
> 
> I hope some take this news as encouragement to consider RPKI OV
> "invalid == reject"-policies as safe to deploy in their own BGP
> environments too. :-)
> 
> Kind regards,
> 
> Job