ACSP Suggestion 2018.13: RPKI-Based BGP Origin Validation

Suggestion

Author: Job Snijders   
Submitted On: 16 July 2018

Description: Enable RPKI based BGP Origin Validation in ARIN’s own Autonomous Systems (AS 10745, AS 393225, AS 53535, AS 393220, AS 394018, etc) and reject “invalid” route announcements.

Value to Community:

ARIN has been offering RPKI services to its members for quite some time now, it is time to lead by example and eat our own cooking (like with IPv6 & DNSSEC). Enabling Origin Validation based on RPKI data will further ARIN staff’s understanding of the routing ecosystem in relation to RPKI OV, this experience can feed back into improved services for the ARIN members.

ARIN’s ASNs (AS 10745, AS 393225, AS 53535, AS 393220, AS 394018, etc) are multi-homed to numerous of connectivity providers. In case one of these connectivity providers propagate a BGP hijack or misconfigured route announcement to ARIN - which conflicts with information contained in a RPKI ROA - RPKI origin validation can improve the reachability between ARIN online services and the various stakeholders if ARIN rejects these “invalid” route announcement.

Take for example for ARIN’s authoritative nameservers (example: 199.212.0.0/24 which has z.arin.net). ARIN already publishes a RPKI ROA for 199.212.0.0/24, this enables BGP peers of AS 393225 to increase their chances of delivering the DNS queries to the correct place (ARIN). It is beneficial to DNS resolver operators if ARIN can repay in kind and perform Origin Validation to the benefit of the DNS operators that have published RPKI ROAs.

For every ASN that enables RPKI based Origin Validation, the value of creating & publishing RPKI ROAs increases!

Timeframe: Not specified

Status: Open   Updated: 10 August 2018

Tracking Information

ARIN Comment

10 August 2018

Thank you for your suggestion, numbered 2018.13 upon confirmed receipt, requesting ARIN enable RPKI-based BGP origin validation in ARIN’s own Autonomous Systems and reject “invalid” route announcements.

We have reviewed your suggestion and note we would need to implement it with careful consideration given to minimizing impact for customers who may encounter situations that require they query and fix their ROAs managed inside ARIN’s hosted RPKI solution in circumstances where they are experiencing their own RPKI-based operational issues. Our development schedule for the 2018 year is currently filled by previously-submitted community suggestions and other system improvements. We will consider this suggestion, together with other RPKI-related community suggestions, for inclusion into our 2019 work plan.

Thank you for participating in the ARIN Consultation and Suggestion Process. Your suggestion will remain open until implemented.