From moikonom at admin.grnet.gr Mon Jul 6 12:07:56 2020 From: moikonom at admin.grnet.gr (Michael Oikonomakos) Date: Mon, 6 Jul 2020 13:07:56 +0300 Subject: [connect-wg] GR-IX drops RPKI invalids Message-ID: Dear all, It has been a long journey but thankfully it has come to an end!!! We are happy to announce that as of today (06/07/2020) GR-IX route servers drop RPKI invalids for both our infrastructures in Athens & Thessaloniki. GR-IX [1] is a neutral and independent Internet Exchange in Greece, owned and operated by GRNET [2] (the Greek NREN). Please let us share with you the brief version of the story behind it and any lessons learned. - GRNET was an early supporter of RPKI. It started by signing ROAs for GRNET and their customers (all Greek Universities and Research Institutes). Moreover, it performed marking on each prefix received for further statistical / monitoring process. In the early days, GRNET was not dropping RPKI invalids, but put those prefixes with lower priority in their routing table. - GRNET & GR-IX were early supporters of MANRS [3] and successfully became a member of MANRS as a Network Operator & IXP respectively. - As of 10/2019, GRNET decided to start dropping invalid IPv4 and IPv6 RPKI prefixes received from GR-IX peerings and from GRNET upstream. No major issues were reported until now. - As of today, GR-IX drops invalid IPv4 & IPv6 RPKI prefixes on their route servers. We are using the BGP large communities proposed by euro-ix [4] in order to mark the prefixes accordingly. We noticed no prefix with RPKI invalid status which hasn't already been filtered by our route servers due to our strict IRRDB filtering. We would like to thank all our members (GRNET & GR-IX ones) for their help and support in this effort - either via simply signing their ROAs, or by participating in our tech mailing list and discussions we had during various fora. Internet was built of smaller or bigger ecosystems such as ours in Greece, in which we take great pride of its vibrant participation and technical expertise and are happy of being part of it. We do hope you?re staying safe and healthy during these hard times and wish you a great summer. Should you need any further information, please do contact us. Best regards, Michalis [1]: https://www.gr-ix.gr [2]: https://grnet.gr/en/ [3]: https://www.manrs.org [4]: https://www.euro-ix.net/en/forixps/large-bgp-communities/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From stavros.konstantaras at ams-ix.net Mon Jul 6 18:49:19 2020 From: stavros.konstantaras at ams-ix.net (Stavros Konstantaras) Date: Mon, 6 Jul 2020 18:49:19 +0200 Subject: [connect-wg] GR-IX drops RPKI invalids In-Reply-To: References: Message-ID: Awesome news Mike, well done to you and your team. And thank you for sharing the background story with us, wish to see more success stories from your side in the near future. Best regards, Stavros Konstantaras | Sr. Network Engineer | AMS-IX M +31 (0) 620 89 51 04 | T +31 20 305 8999 ams-ix.net > On 6 Jul 2020, at 12:07, Michael Oikonomakos wrote: > > Dear all, > > It has been a long journey but thankfully it has come to an end!!! > > We are happy to announce that as of today (06/07/2020) GR-IX route servers drop RPKI invalids for both our infrastructures in Athens & Thessaloniki. > GR-IX [1] is a neutral and independent Internet Exchange in Greece, owned and operated by GRNET [2] (the Greek NREN). > > Please let us share with you the brief version of the story behind it and any lessons learned. > > - GRNET was an early supporter of RPKI. It started by signing ROAs for GRNET and their customers (all Greek Universities and Research Institutes). Moreover, it performed marking on each prefix received for further statistical / monitoring process. In the early days, GRNET was not dropping RPKI invalids, but put those prefixes with lower priority in their routing table. > - GRNET & GR-IX were early supporters of MANRS [3] and successfully became a member of MANRS as a Network Operator & IXP respectively. > - As of 10/2019, GRNET decided to start dropping invalid IPv4 and IPv6 RPKI prefixes received from GR-IX peerings and from GRNET upstream. No major issues were reported until now. > - As of today, GR-IX drops invalid IPv4 & IPv6 RPKI prefixes on their route servers. We are using the BGP large communities proposed by euro-ix [4] in order to mark the prefixes accordingly. We noticed no prefix with RPKI invalid status which hasn't already been filtered by our route servers due to our strict IRRDB filtering. > > We would like to thank all our members (GRNET & GR-IX ones) for their help and support in this effort - either via simply signing their ROAs, or by participating in our tech mailing list and discussions we had during various fora. Internet was built of smaller or bigger ecosystems such as ours in Greece, in which we take great pride of its vibrant participation and technical expertise and are happy of being part of it. > > We do hope you?re staying safe and healthy during these hard times and wish you a great summer. > > Should you need any further information, please do contact us. > > Best regards, > Michalis > > > [1]: https://www.gr-ix.gr > [2]: https://grnet.gr/en/ > [3]: https://www.manrs.org > [4]: https://www.euro-ix.net/en/forixps/large-bgp-communities/ _______________________________________________ > connect-wg mailing list > connect-wg at ripe.net > https://lists.ripe.net/mailman/listinfo/connect-wg -------------- next part -------------- An HTML attachment was scrubbed... URL: