This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[routing-wg] RPKI ROAs and Monitoring

Previous message (by thread): [routing-wg] RPKI ROAs and Monitoring
Next message (by thread): [routing-wg] RPKI ROAs and Monitoring

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Job Snijders job at fastly.com
Mon Dec 12 12:50:37 CET 2022

Hi Klaus!

On Mon, Dec 12, 2022 at 12:12:03PM +0100, Klaus Darilion via routing-wg wrote:
> Until now we have not used RPKI. For us at nic.at and RcodeZero DNS we
> are not on the validating side of RPKI, but we would only create ROAs,
> using the RIPE service. I could just login to the RIPE portal and in 5
> minutes it is done. But I am a bit concerned about activating the
> service and do not care anymore. Hence I think we should have some
> monitoring too.

Monitoring your ROAs is a really good idea! I recommend taking a look at
this presentation https://www.youtube.com/watch?v=cJUkOu9nWT8

> We have a defined target state, eg. prefix 83.136.32.0/21 should be
> announced from AS30971. So I think our monitoring should check:
> 
> -          is there a ROA for 83.136.32.0/21 from AS30971
> -          is the ROA valid, ie. not expired
> -          Will validating ISPs accept these prefixes? Will validating
> ISPs reject this prefix if the orign AS is wrong (maybe having a local
> Routinator or queriying a public service via API).

Indeed, validating ISPs will reject the BGP announcement if the Origin
AS is incorrectly configured in the ROA. Make sure to not make any
typos when creating ROAs! :-)

Here is a blog post that details what the impact is of misconfigured
ROAs (and conversely - what the positive impact is of correctly
configured ROAs!)
https://www.kentik.com/blog/how-much-does-rpki-rov-reduce-the-propagation-of-invalid-routes/

> Do you think this makes sense? Is such monitoring already available
> and I only have to subcribe somewhere (free or comemrcial)? Do I miss
> something? Any hints what I should do before and after creating the
> ROAs?

One dataset to check for RPKI objects related to your prefixes is
https://console.rpki-client.org/dump.json.gz (for all details)
or https://console.rpki-client.org/vrps.json (for condensed version)

> PS: What happens if my ROAs expire. Will then my BGP announcements be
> ignored by validating ISPs or will it just be as if there are no ROAs
> at all?

Indeed, then it will be like there are no ROAs at all.

Kind regards,

Job

Previous message (by thread): [routing-wg] RPKI ROAs and Monitoring
Next message (by thread): [routing-wg] RPKI ROAs and Monitoring

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ routing-wg Archives ]