Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] Is BGP safe for your ISP?

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] Is BGP safe for your ISP?


Chronological Thread 
    < Chronological >      < Thread >
  • From: "Montgomery, Douglas C. (Fed)" <>
  • To: "" <>, Bob Harold <>
  • Cc: "" <>
  • Subject: Re: [Security-WG] Is BGP safe for your ISP?
  • Date: Mon, 20 Apr 2020 18:55:54 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AT79YkrPd69EuXHuUITX55lM57W6OhMqhqdI2ingbuY=; b=HiHVc7s7ceaegSaCLhrUecq6DgrCOmggze/VYDGi5m/PNOFRGMDQL8Mj5gQ8z4R8n3s0OOnotusamaacC9soXCA70FOdZI0RXkC2078TqTbXtHCJ01jw2j5APwLxp+pFoKAIj30JPurtuKKzlzWh/mRhYX+ssri19n7RgdBSoOAl0uQvU7LW01hbAmFE9UukHrsi1JEeeeclOqeb2a9cxJ5EOdMChyN7HW8pILF3x/a4/BCTL3uFSKh2sk7tmfZFW59Rduv78tutcN8fYFj1j1Hd3q/sWBjW+GcyZy+m5oWKxrFGcr4Qvb3e93crCf/cfZDgPgo6ieJyd6hD1sVcAA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=c8qDVBLuprmzN6rVoB6KWcaH94HnQOg0SvrMTCeQMPCf32+beNSqifWKFml5I6WVlnr8QM7b2l3eCkvHV5Bs0bgGy9fO/QQYEr6lkbmlIYXbJzUmadE9Q3fV4nYEcyYD8LEDNpus0LFB7Y92PbBbUYAu5/gMbM/n3czo8neS7BQYEj4SFp01IMI2qpXlxhz13fJzsNvvbkY2cz7OApZk/2cD8j60dUBgbrZlewTwvBRDcWyOr1R4jD2zgqnVaatxSaHRP3IiBL9swUquIS1NbjDVgP6K364sLDMb9zeBMSi/mFEFU1NzFBtr+5XLfsStbfNoHY5KMG0fOhHNgdbxHw==

Bad, or sad, news?

 

Maybe we all should originate one purposefully RPKI-ROV invalid prefix with a web target on it, and provide the URL to cloudflare to include in their test.

 

Eventually the burden of manual configuration will greater than the effort to deploy RPKI?

dougm

--

Doug Montgomery, Manager Internet & Scalable Systems Research @ NIST

 

 

From: <> on behalf of Andrew Gallo <>
Reply-To: Andrew Gallo <>
Date: Monday, April 20, 2020 at 2:39 PM
To: Bob Harold <>
Cc: " List:" <>
Subject: Re: [Security-WG] Is BGP safe for your ISP?

 

This issue is bad news:

 

 

"ISPs manually blocking routes to https://invalid.rpki.cloudflare.com instead of implementing RPKI #105"

 

 

 

On Mon, Apr 20, 2020 at 2:31 PM Bob Harold <> wrote:

Thanks, I see I am late to the party!


--
Bob Harold

 

 

On Mon, Apr 20, 2020 at 2:25 PM Andrew Gallo <> wrote:

There's an issue open on the projects Github page concerning this:

 

 

 

On Mon, Apr 20, 2020 at 2:15 PM Bob Harold <> wrote:

Please test with IPv4 and IPv6 separately!   My campus says "Success" if I run from an IPv4-only host, but if I have IPv6 available, it says "Fail".


--
Bob Harold

DNS and DHCP Hostmaster - UMNet
Information and Technology Services (ITS)
   734-512-7038

 

 

On Mon, Apr 20, 2020 at 12:17 PM Larry Blunk <> wrote:

 

  It should probably be clarified that "implementing RPKI" here actually means performing RPK-based BGP filtering (and not simply registering ROA's).  Your workplace actually uses AT&T as it's primary transit provider and thus already receives substantial benefit from AT&T's RPKI filtering.   There's some additional benefit for performing RPKI filtering on peers that don't already do it, but in many cases the benefit is probably limited (the chances of a Google or Microsoft or Amazon announcing or leaking bogus routes is likely low).  While Merit is not yet performing RPKI filtering (as noted, we get the benefit from AT&T doing it), we have registered ROA's for all prefixes that we have authority over in ARIN.  This includes the Net 35 blocks we have reassigned to Umich.  Umich has been discussing registering ROA's for their directly assigned blocks from ARIN.

 

-Larry Blunk

 Merit

 

 

On Mon, Apr 20, 2020 at 11:45 AM Bob Harold <> wrote:

My ISP (AT&T) says success.  My work says fail.  There was talk about implementing RPKI here recently.  Having a test page is useful.  Thanks.


--
Bob Harold

 

 

 

-- 


Archive powered by MHonArc 2.6.19.

Top of Page