Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] Sept 16 meeting notes

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] Sept 16 meeting notes


Chronological Thread 
    < Chronological >      < Thread >
  • From: Andrew Gallo <>
  • To:
  • Subject: Re: [Security-WG] Sept 16 meeting notes
  • Date: Thu, 17 Sep 2020 16:00:53 -0400
I'll share my ideas for RPKI invalids notification with the list.  Still a bit unstructured at this point, but maybe they'll spark some discussion....
1. Weekly routing table report for the R&E table similar to the report that gets sent to NANOG each Friday    
	Number of prefixes in the table
	Number of ASNs seen
	RPKI valid/unknown/invalid counts/percent
	**List of invalid prefixes
2. Slack integration (like BGP alerter)
	This would take some development work.  not sure how much
3. Router web proxy button
	Steve mentioned enhancements to the router proxy.  
	Maybe we could have an additional command such as:
		show route aspath-regex ".* ASN .*" validation-state invalid terse
	Users could run this to see all prefixes originating from their ASN that are invalid

4. Log Monitoring
	Enable tracing on validation sessions on the routers:
		routing-options validation traceoptions flag policy
	results in log messages that look like:
		Sep 17 11:34:52.547102 rv_get_policy_state: rt 2c0f:f6d0:a6::/48 origin-as 327687, validation result invalid
	Maybe this makes #2 easier?  Not sure what load it places on the routers

5. CLI method
	There's a quick method using whois against bgpmon:
		whois -h whois.bgpmon.net " --roa 4901 162.250.136.0/22"
		0 - Valid
		whois -h whois.bgpmon.net " --roa 4901 162.250.136.0/23"
        	2 - Not Valid: Invalid Prefix-Length
	Effort- we would need to setup our own WHOIS service

One thing that occurs to me- if we start dropping invalids, then #4 may be the only method to detect such errors.  

Thanks


    
On 9/17/2020 2:51 PM, Adair Thaxton
      wrote:

    

    https://spaces.at.internet2.edu/display/SWG/2020-09-16+Meeting+notes
      

      

      That's right, y'all, I'm using the Wiki!
      

      

      I'd specifically like to call attention to the community-facing
      action items at the bottom - reproduced here for visibility.
      

      

      Action items
      

      

         - Members: If you want us to drop invalid routes, please let us
      know!
      

         - Members and connectors: If you are interested in using a
      centrally-provided RPKI validator, please let us know!
      

         - Connectors: If you have suggestions on how we can better
      educate the community about CloudConnect, please let us know!
      

         - Please let Susan know:
      

             - Tutorials you'd like to see
      

             - Topics you'd like to discuss, as we're going to have
      breakout discussion "tables"
      

             - Would we like to have our own Security Mini-Camp to
      discuss a broader array of issues?
      

         - Steven Wallace will be reaching out to Andrew Gallo to
      discuss a community-lead effort to establish best practices for
      RPKI implementation as well as feedback on how Internet2 can
      ensure its participants are aware of potential unintentional RPKI
      invalid route announcements.
      

      

      Adair
      

    
  
























Archive powered by MHonArc 2.6.19.










    
  
    

  
  
Top of Page