Internet2 Network Security SIG

[Larry Blunk <>]

  The ROA Invalid prefixes Cloudflare is announcing for the test are 103.21.244.0/24 and 2606:4700:7000::/48.

The DNS name for the hosts being tested with an https connection is invalid.rpki.cloudflare.com.  I can currently get

to both of these.  The IPv6 path goes through a non-transit peer that is leaking the v6 announcement to us.  Here's the

path for the IPv4 announcement :)

103.21.244.0/24    *[BGP/170] 1w4d 08:56:35, MED 99, localpref 110, from 198.108.93.41
                      AS path: 11164 7473 9498 13335 I, validation-state: unverified

On Mon, Apr 20, 2020 at 2:31 PM Bob Harold <> wrote:

Thanks, I see I am late to the party!

--
Bob Harold

On Mon, Apr 20, 2020 at 2:25 PM Andrew Gallo <> wrote:

There's an issue open on the projects Github page concerning this:

https://github.com/cloudflare/isbgpsafeyet.com/issues/37

On Mon, Apr 20, 2020 at 2:15 PM Bob Harold <> wrote:

Please test with IPv4 and IPv6 separately!   My campus says "Success" if I run from an IPv4-only host, but if I have IPv6 available, it says "Fail".

--
Bob Harold

DNS and DHCP Hostmaster - UMNet
Information and Technology Services (ITS)
   734-512-7038

On Mon, Apr 20, 2020 at 12:17 PM Larry Blunk <> wrote:

  It should probably be clarified that "implementing RPKI" here actually means performing RPK-based BGP filtering (and not simply registering ROA's).  Your workplace actually uses AT&T as it's primary transit provider and thus already receives substantial benefit from AT&T's RPKI filtering.   There's some additional benefit for performing RPKI filtering on peers that don't already do it, but in many cases the benefit is probably limited (the chances of a Google or Microsoft or Amazon announcing or leaking bogus routes is likely low).  While Merit is not yet performing RPKI filtering (as noted, we get the benefit from AT&T doing it), we have registered ROA's for all prefixes that we have authority over in ARIN.  This includes the Net 35 blocks we have reassigned to Umich.  Umich has been discussing registering ROA's for their directly assigned blocks from ARIN.

-Larry Blunk

 Merit

On Mon, Apr 20, 2020 at 11:45 AM Bob Harold <> wrote:

My ISP (AT&T) says success.  My work says fail.  There was talk about implementing RPKI here recently.  Having a test page is useful.  Thanks.

--
Bob Harold

-- 

--

Larry Blunk
Senior Network Engineer

| 734.527.5725 p | 734.395.4363 c | 734.527.5790 f | www.merit.edu
880 Technology Drive, Suite B | Ann Arbor, MI 48108-8963

     Learn More About Merit Services