Child pages
  • RPKI Validation
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

Attacks against the routing system are increasing, and it's not uncommon in today's Internet world to experience prefix hijacking.  The IETF has for a while, been woking on an Internet Resource Public Key Infrastructure, to help validate routing (BGP) announcements.  

Details on RPKI and how this works is best followed up through the RIR.  The RIPE-NCC in particular have excellent resources for you to peruse, and you are much better off trying to find specific router configuration at the RIPE website.


At INX-ZA, we operate a fewRPKI validators that are made available to the general public for use.  These are spread across the country, and are available at: 

  • vc1-jnb.inx.net.za
  • vc2-jnb.inx.net.za
  • vc1-cpt.inx.net.za
  • vc2-cpt.inx.net.za
  • vc1-dur.inx.net.za
  • vc2-dur.inx.net.za

for you to use to validate your prefixes.  

Of course the point of RPKI validation is for your network equipment to do this automatically, so we suggest the following configuration: 


RPKI Config
router bgp 65001
 bgp rpki server tcp <<host>> port 3323 refresh 900


Please remember to use the v6 addresses, if your router supports IPv6.


Our recommendations

We recommend that you

  • assign a higher local-pref to prefixes that have a Valid ROA
  • leave prefixes with Not-Found ROAs untouched
  • drop prefix with Invalid ROA

Dealing with Invalids

Most operators may be tempted to choose an approach where they set the local-pref of Invalids to something really low (ie. least preferred).  The simple problem you're still likely to see is that a more-specific (ie. longer match) route for this, will still win in the BGP route selection process, and therefore still leave you to attack.  

Should you need assistance with this, please feel free to send a mail to ops [at]  inx.net.za

 

  • No labels