[routing-wg] RPKI ROAs and Monitoring
- Previous message (by thread): [routing-wg] RPKI ROAs and Monitoring
- Next message (by thread): [routing-wg] RPKI ROAs and Monitoring
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Klaus Darilion
klaus.darilion at nic.at
Mon Dec 12 15:34:16 CET 2022
Thanks for the inputs. I now went with packetvis. Does anybody know who is behind packetvis? The home page is pretty quiet. Basically it works, but I would have expected that packetivs also shows ROAs. It show all my prefixes, but it does not show which of them have ROAs and which not. I guess I will give BGPalerter also a try. regards Klaus > -----Ursprüngliche Nachricht----- > Von: Massimo Candela <massimo at us.ntt.net> > Gesendet: Montag, 12. Dezember 2022 12:38 > An: Klaus Darilion <klaus.darilion at nic.at> > Cc: routing-wg at ripe.net > Betreff: Re: [routing-wg] RPKI ROAs and Monitoring > > Hello Klaus, > > An open-source monitoring application that does exactly what you are > asking for is BGPalerter [1]. Alternatively, if you are not keen on > running the app yourself, there is https://packetvis.com which is a > BGPalerter as a service. > > Ciao, > Massimo > > [1] https://github.com/nttgin/BGPalerter > > > > On Dec 12, 2022 12:12, Klaus Darilion via routing-wg <routing- > wg at ripe.net> wrote: > > > Hello all! > > > > Until now we have not used RPKI. For us at nic.at and RcodeZero DNS > we are not on the validating side of RPKI, but we would only create > ROAs, using the RIPE service. I could just login to the RIPE portal and > in 5 minutes it is done. But I am a bit concerned about activating the > service and do not care anymore. Hence I think we should have some > monitoring too. > > > > We have a defined target state, eg. prefix 83.136.32.0/21 should be > announced from AS30971. So I think our monitoring should check: > > - is there a ROA for 83.136.32.0/21 from AS30971 > > - is the ROA valid, ie. not expired > > - Will validating ISPs accept these prefixes? Will > validating ISPs reject this prefix if the orign AS is wrong (maybe > having a local Routinator or queriying a public service via API). > > > > Do you think this makes sense? Is such monitoring already available > and I only have to subcribe somewhere (free or comemrcial)? Do I miss > something? Any hints what I should do before and after creating the > ROAs? > > > > Thanks > > Klaus > > > > PS: What happens if my ROAs expire. Will then my BGP announcements > be ignored by validating ISPs or will it just be as if there are no ROAs > at all? > > > No roa at all. However, if a less specific roa exists, or a roa for > another AS, it could result in invalid. You would get notified by the > monitoring if roas are expiring. > > > > -- > > Klaus Darilion, Head of Operations > > nic.at GmbH, Jakob-Haringer-Straße 8/V > > 5020 Salzburg, Austria > > >
- Previous message (by thread): [routing-wg] RPKI ROAs and Monitoring
- Next message (by thread): [routing-wg] RPKI ROAs and Monitoring
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]