<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="Generator" content="Microsoft Word 15 (filtered medium)"> <style></style> </head> <body lang="EN-IE" link="blue" vlink="purple"> <div class="WordSection1"> <p class="MsoNormal"><span lang="EN-GB">Hi Nathalie, <o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p> <p class="MsoNormal"><span lang="EN-GB">Too bad the RIPE NCC is still dragging their feed on the actual RPKI implementation in their own infrastructure.. <o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p> <p class="MsoNormal"><span lang="EN-GB">Yes we want RPKI.. <o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-GB"><br> Yes we want the RIPE NCC to implement RPKI in their network and drop invalid ROA’s ... <o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p> <p class="MsoNormal"><span lang="EN-GB">No we don’t care if there are members that lock themselves out of the LIR portal using an incorrect RPKI ROA if they are on that same IP space with their laptop … ( they can always use the wifi hotspot on their mobile to get to the RIPE NCC portal.. ) <o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-GB">We can always look at every angle in this till infinity .. but as operators of a network we need to make these decisions as well … <o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p> <p class="MsoNormal"><span lang="EN-GB">And it is best for the community that the ones that are having invalid ROA’s understand that they have invalid roa’s.. And have to deal with the consequences for having them .. <o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p> <p class="MsoNormal"><span lang="EN-GB">I’m sure that the current Terms & Conditions also doesn’t state that the RIPE NCC are knowingly not taking active measurements against BGP Hijacks and while there are good ways of protecting the network against that kind of attacks, the RIPE NCC has decided that it wasn’t worth protecting us from .. I know that it is a bit over simplified, but we have all seen what the effects could be on bgp hijacks in the past .. I’m sure that that is a bigger issue than someone who shoots their selves in the foot. <o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p> <p class="MsoNormal"><span lang="EN-GB">Sorry if I sound a bit annoyed on the tone of voice, but come on .. it is 2021 .. the policy to get all-inclusive on RPKI was in 2013 .. when this WG decided to accept RPKI Certification for non-members. <o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p> <p class="MsoNormal"><span lang="EN-GB">Can we now also get the RIPE NCC to step into this ? .. pretty please .. ?<o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p> <p class="MsoNormal"><span lang="EN-GB">Regards,<o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-GB">Erik Bais <o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p> <div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm"> <p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">routing-wg <routing-wg-bounces@ripe.net> on behalf of Nathalie Trenaman <nathalie@ripe.net><br> <b>Date: </b>Thursday 18 March 2021 at 16:03<br> <b>To: </b>"routing-wg@ripe.net" <routing-wg@ripe.net><br> <b>Subject: </b>[routing-wg] RPKI Route Origin Validation and AS3333<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">Dear Colleagues, Working Group,<o:p></o:p></p> </div> <p class="MsoNormal"><o:p> </o:p></p> <div> <p class="MsoNormal">As discussed previously in this mailing list, some community members expressed that they would like to see the RIPE NCC perform Route Origin Validation on AS3333. We decided to ask the community for advice and guidance on how we should proceed. <o:p></o:p></p> </div> <p class="MsoNormal"><o:p> </o:p></p> <div> <p class="MsoNormal">What is Route Origin Validation?<o:p></o:p></p> </div> <div> <p class="MsoNormal"><span style="background:white">Route Origin Validation is a mechanism by which route advertisements can be authenticated as originating from an expected autonomous system (AS). </span><o:p></o:p></p> </div> <div> <p class="MsoNormal"><span style="background:white">The best current practice is to drop </span>RPKI invalid BGP announcements. These are announcements that conflict with the statement as described in a Route Origin Authorization (ROA).<o:p></o:p></p> </div> <p class="MsoNormal"><o:p> </o:p></p> <div> <p class="MsoNormal">What is AS3333?<o:p></o:p></p> </div> <div> <p class="MsoNormal">This is the AS Number for the RIPE NCC’s main service network. It includes most of our *.<a href="http://ripe.net/"><span style="color:black">ripe.net</span></a> websites, including the LIR Portal (<a href="http://my.ripe.net/"><span style="color:black">my.ripe.net</span></a>) and the RIPE Database. <o:p></o:p></p> </div> <p class="MsoNormal"><o:p> </o:p></p> <div> <p class="MsoNormal">What is the Problem?<o:p></o:p></p> </div> <div> <p class="MsoNormal">Currently, some of our upstream providers already perform ROV. This means that some of our members that potentially misconfigured their ROA or members who have lost control of creation and modification of their ROAs cannot reach our services via those peers. <o:p></o:p></p> </div> <p class="MsoNormal"><o:p> </o:p></p> <div> <p class="MsoNormal">On the other hand, some of our upstream providers do not perform ROV, and if a member’s prefix is being announced by a hijacker, they cannot access our services. We already received a report about this.This is also not an ideal situation. <o:p></o:p></p> </div> <p class="MsoNormal"><o:p> </o:p></p> <div> <p class="MsoNormal">From the network operations perspective, there are no obstacles to enable ROV on AS3333, however, we have to consider that members or End Users who announce something different in BGP than their ROA claims, will be dropped and lose access to our services from their network. This includes the RPKI Dashboard where they can make changes to their ROAs. This is specially relevant when members operate certificate generation in hosted mode which is the current operation mode for almost all for our members. <o:p></o:p></p> </div> <div> <p class="MsoNormal"><br> From an analysis we made on 10 February, there were 511 of such announcements from our members and End Users.<o:p></o:p></p> </div> <p class="MsoNormal"><o:p> </o:p></p> <div> <p class="MsoNormal">Our current RPKI Terms and Conditions do not mention that a Member or End User ROA should match their routing intentions, or any implications it may have if the ROA does not match their BGP announcement. If the community decides it is important that AS3333 performs ROV, our legal team needs to update the RPKI Terms and Conditions to reflect the potential impact. <o:p></o:p></p> </div> <p class="MsoNormal"><o:p> </o:p></p> <div> <p class="MsoNormal">I welcome a respectful discussion and look forward to your advice and guidance.<o:p></o:p></p> </div> <p class="MsoNormal"><o:p> </o:p></p> <div> <p class="MsoNormal">Kind regards,<o:p></o:p></p> </div> <p class="MsoNormal"><o:p> </o:p></p> <div> <p class="MsoNormal">Nathalie Trenaman<o:p></o:p></p> </div> <div> <p class="MsoNormal">Routing Security Programme Manager<o:p></o:p></p> </div> <div> <p class="MsoNormal">RIPE NCC<o:p></o:p></p> </div> <div> <p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Arial",sans-serif"><br> <br> </span><o:p></o:p></p> </div> </div> </body> </html>