netsec-sig - [Security-WG] Fwd: [routing-wg] GR-IX drops RPKI invalids
Subject: Internet2 Network Security SIG
List archive
- From: David Farmer <>
- To: "" <>
- Subject: [Security-WG] Fwd: [routing-wg] GR-IX drops RPKI invalids
- Date: Mon, 6 Jul 2020 05:21:04 -0500
- Dkim-filter: OpenDKIM Filter v2.11.0 mta-p6.oit.umn.edu 4B0hRw68QZz9vDvs
- Dmarc-filter: OpenDMARC Filter v1.3.2 mta-p6.oit.umn.edu 4B0hRw68QZz9vDvs
FYI, good news from another NREN.
---------- Forwarded message ---------
From: Michael Oikonomakos <>
Date: Mon, Jul 6, 2020 at 05:08
Subject: [routing-wg] GR-IX drops RPKI invalids
To: <>, <>
From: Michael Oikonomakos <>
Date: Mon, Jul 6, 2020 at 05:08
Subject: [routing-wg] GR-IX drops RPKI invalids
To: <>, <>
Dear all,
It has been a long journey but thankfully it has come to an end!!!
We are happy to announce that as of today (06/07/2020) GR-IX route servers drop RPKI invalids for both our infrastructures in Athens & Thessaloniki.
GR-IX [1] is a neutral and independent Internet Exchange in Greece, owned and operated by GRNET [2] (the Greek NREN).
Please let us share with you the brief version of the story behind it and any lessons learned.
- GRNET was an early supporter of RPKI. It started by signing ROAs for GRNET and their customers (all Greek Universities and Research Institutes). Moreover, it performed marking on each prefix received for further statistical / monitoring process. In the early days, GRNET was not dropping RPKI invalids, but put those prefixes with lower priority in their routing table.
- GRNET & GR-IX were early supporters of MANRS [3] and successfully became a member of MANRS as a Network Operator & IXP respectively.
- As of 10/2019, GRNET decided to start dropping invalid IPv4 and IPv6 RPKI prefixes received from GR-IX peerings and from GRNET upstream. No major issues were reported until now.
- As of today, GR-IX drops invalid IPv4 & IPv6 RPKI prefixes on their route servers. We are using the BGP large communities proposed by euro-ix [4] in order to mark the prefixes accordingly. We noticed no prefix with RPKI invalid status which hasn't already been filtered by our route servers due to our strict IRRDB filtering.
We would like to thank all our members (GRNET & GR-IX ones) for their help and support in this effort - either via simply signing their ROAs, or by participating in our tech mailing list and discussions we had during various fora. Internet was built of smaller or bigger ecosystems such as ours in Greece, in which we take great pride of its vibrant participation and technical expertise and are happy of being part of it.
We do hope you’re staying safe and healthy during these hard times and wish you a great summer.
Should you need any further information, please do contact us.
Best regards,
It has been a long journey but thankfully it has come to an end!!!
We are happy to announce that as of today (06/07/2020) GR-IX route servers drop RPKI invalids for both our infrastructures in Athens & Thessaloniki.
GR-IX [1] is a neutral and independent Internet Exchange in Greece, owned and operated by GRNET [2] (the Greek NREN).
Please let us share with you the brief version of the story behind it and any lessons learned.
- GRNET was an early supporter of RPKI. It started by signing ROAs for GRNET and their customers (all Greek Universities and Research Institutes). Moreover, it performed marking on each prefix received for further statistical / monitoring process. In the early days, GRNET was not dropping RPKI invalids, but put those prefixes with lower priority in their routing table.
- GRNET & GR-IX were early supporters of MANRS [3] and successfully became a member of MANRS as a Network Operator & IXP respectively.
- As of 10/2019, GRNET decided to start dropping invalid IPv4 and IPv6 RPKI prefixes received from GR-IX peerings and from GRNET upstream. No major issues were reported until now.
- As of today, GR-IX drops invalid IPv4 & IPv6 RPKI prefixes on their route servers. We are using the BGP large communities proposed by euro-ix [4] in order to mark the prefixes accordingly. We noticed no prefix with RPKI invalid status which hasn't already been filtered by our route servers due to our strict IRRDB filtering.
We would like to thank all our members (GRNET & GR-IX ones) for their help and support in this effort - either via simply signing their ROAs, or by participating in our tech mailing list and discussions we had during various fora. Internet was built of smaller or bigger ecosystems such as ours in Greece, in which we take great pride of its vibrant participation and technical expertise and are happy of being part of it.
We do hope you’re staying safe and healthy during these hard times and wish you a great summer.
Should you need any further information, please do contact us.
Best regards,
Michalis
===============================================
David Farmer
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE Phone: 612-626-0815
Minneapolis, MN 55414-3029 Cell: 612-812-9952
===============================================
David Farmer
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE Phone: 612-626-0815
Minneapolis, MN 55414-3029 Cell: 612-812-9952
===============================================
- [Security-WG] Fwd: [routing-wg] GR-IX drops RPKI invalids, David Farmer, 07/06/2020
Archive powered by MHonArc 2.6.19.