[service] RPKI Route Origin Validation on RIPE NCC Network
Dear colleagues, On Monday, 19 April 2021 we will enable Resource Public Key Infrastructure (RPKI) Route Origin Validation (ROV) on our own network, AS3333, and reject RPKI invalid Border Gateway Protocol (BGP) announcements. This follows discussions with the Routing Working Group (WG), which has agreed we should move forward with this. We have already contacted everyone who might be affected to explain the steps they need to follow. RPKI ROV is a security mechanism that authenticates route advertisements as originating from an expected Autonomous System (AS), with the goal to drop BGP announcements that do not match the routing intentions of the IP address holder as stated in a ROA (Route Origin Authorisation). This also means that operators who made a typo in their ROA might not be able to reach ripe.net anymore. We have reached out to all 215 organisations in the RIPE region that currently have a ROA that does not match with what we see in BGP. You can find more information on RIPE Labs: https://labs.ripe.net/author/nathalie_nathalie/rpki-and-as3333-or-how-we-eat... We are very excited to perform ROV on our network as this complements the rest of our RPKI activities -- running a Trust Anchor and one of the root Certificate Authorities, hosting a platform for maintaining ROAs, and offering a publication server accessible over rsync and the RPKI Repository Delta Protocol (RRDP). Reaching this milestone will be of great benefit to the RIPE community and I want to thank the Routing WG and its Chairs for their support. If you have any questions, please feel free to contact me. Kind Regards, Nathalie Trenaman Routing Security Programme Manager RIPE NCC
participants (1)
-
Nathalie Trenaman