[routing-wg] RPKI Route Origin Validation and AS3333

Hello,

On Sat, 20 Mar 2021 at 20:06, Hank Nussbacher <hank at interall.co.il> wrote:
> I am not sure it is possible, but I would love to see some centralized
> site where all dropped ROV invalids would appear.  This way I can see if
> I have a problem as well as if someone tried to hijack my space but was
> thwarted by the drop.

Monitoring ROV invalids in other people's networks (validators;
routers) is not possible and I doubt it ever will be.

What you can do is monitor your IP space for hijacks (whether ROA's
exist or not) and generally ROV invalids. Like Randy mentioned,
bgpalerter is a great tool for this job.

If you roll your own custom CA, you should monitor it against
different validator instances.


But this is a valid point: I definitely believe that most operators
don't really monitor their validation instances for periodic
successful validation, their RTR servers for not serving stale data
and their RTR clients for not using stale data (for whatever reasons,
including bugs and misconfigurations). Just pinging your validator or
check for a SYN-ACK on the RTR port is not enough monitoring, I'm
afraid.

Also see:
https://labs.ripe.net/Members/lukas_tribus/rpki-rov-about-stale-rtr-servers-and-how-to-monitor-them
https://lists.nlnetlabs.nl/pipermail/rpki/2021-March/000275.html

Given the lack of discussions about the topic of properly monitoring
validation and RTR state, and the definitely non-zero amount of issues
with this exact issue, I think it's safe to assume that for the most
part proper monitoring in the production networks out there is not
happening today.


cheers,
lukas