-
Notifications
You must be signed in to change notification settings - Fork 5
Home
Thomas King edited this page Nov 25, 2015
·
20 revisions
Nowadays, at an IXP there are usually a lot of peers running routers not capable of running RPKI/BGPSec validation. However, RPKI and BGPSec validation already provides some value as it allows to detect route leaks / hijacks. Typically, many peers rely on the route-server anyway for receiving BGP information from other peers connected to IXP. So the route-server is a good place where RPKI and BGPSec validation could happen if there is a way of signalling the RPKI and BGPSec validation results to the peers.
This document is about a means to signal RPKI and BGPSec validation done at the route-server to peers. The way of signalling should be equal at all IXPs offering this service so that customers can easily consume this service.
- RPKI validation results (Invalid, Valid, Unknown) must be signalled from the route-server to peers.
- BGPSec validation results must be signalled from the route-server to peers.
- A spreading of the RPKI and BGPSec validation results across AS boundaries must be avoided.
- The proposed solution must be easy to implement in up-to-date BGP speakers (e.g., configure a filter).
- The IXP (=AS number) signalling RPKI / BGPSec validation results must be identifiable by the peer receiving the BGP announcement.
- Well-known BGP Communities (RFC1997) or Extended BGP Communities (RFC4630) could be used for this.
- Well-known BGP communities / Extended BGP Communities can be easily filtered and used as triggers for dropping a route (e.g., for invalid RPKI validation results) or adjusting the local_pref of a route (e.g., for unknown RPKI validation results).
- AMS-IX Falcon (http://www.ams-ix.net): AMS-IX is already running a route-server in beta mode providing RPKI validation. For signalling the following BGP communities are used:
- Prefix has ROA status: VALID (6777:65012)
- Prefix has ROA status: INVALID (6777:65022)
- Prefix has ROA status: UNKNOWN (6777:65023)
- DE-CIX (http://www.de-cix.net): Is currently designing and testing a solution.
- Lyonix (http://www.lyonix.net) / Rezopole: Is currently executing RPKI validation with sharing the result.
- Nicix (http://www.nicix.net) / Rezopole: see Lyonix
- JPNAP (http://www.jpnap.net/english/): RPKI validation is currently tested.
- BGP Prefix Origin Validation State Extended Community (https://datatracker.ietf.org/doc/draft-ietf-sidr-origin-validation-signaling): For iBGP there is already a draft that describes more or less what we are trying to do with eBGP