Over the last two days, we’ve featured posts on the APNIC Blog discussing ways to measure and clean up ROAs that are inconsistent with the BGP state.
Over the years, the routing community has developed several route monitoring tools and reports, including Team Cymru’s, Geoff Huston’s and Philip Smith’s respective Bogons Report, the RIPE NCC Routing Information Services (RIS), University of Oregon’s RouteViews, the Isolario Project or Hurricane Electric’s BGP Toolkit. None of these run as ‘obligation’ services though; they are enhancements, built on top of views of BGP and local knowledge.
Community-based methods like these, which review routing validity, are to be welcomed. Having as many eyes as possible on routing security is critical, as it increases trust and provides diversity in the sources of review of the state of BGP, which helps everyone understand the variances in routing visibility.
And, since the routing state depends on where and how you look, the diversity in views has to be reflected somehow. So, having several different high-level sources of view of the state of routing helps identify the local and global visible state.
However, when it comes to RPKI, given the role of the RIRs in signing over assertions made by the resource holder, there’s potential for APNIC to help identify inconsistencies between ROA statements and the routing state.
Read more about the benefits of of creating a ROA
As part of APNIC’s planning process, the Secretariat can look at some options for how this could be addressed and what service improvements could be valuable to the community.
This could complement other initiatives we have in ‘Internet health’ reporting to asset holders, where we are exploring high-level statistics on data sourced from honeypots about abuse traffic originating from a BGP speaker’s sources.
It would help to know what network operators would find useful, however. For example, would data on the following inconsistencies be useful for you?
- Resources that are certified elsewhere but originating from an AS held by you, not in alignment with signed declarations (in ROA).
- IP addresses held by you, not being originated in alignment with your own RPKI statements (in ROA).
- IP addresses held by you not covered by ROA, but existing in BGP, especially when you have other holdings in ROA.
APNIC welcomes your suggestions to help us consider the best approach to addressing ROA inconsistencies.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.