Progress Deploying RPKI’s Route Origin Validation in the Internet2 Backbone
Internet2 is in the process of deploying Route Origin Validation (ROV) capability within the backbone. Initially, this capability will be used to understand the global R&E community's adoption of RPKI, as well as RPKI deployment among I2PX peers.
Route Origin Validation is a method to verify a route’s origin AS. By cryptographically signing your routes, you reduce the chance that a mistake or malice, can disrupt or hijack your Internet connection. To learn more about RPKI, as well as other practices to better secure Internet routing, check out: https://www.manrs.org
The deployment tasks include migrating the RPKI validator infrastructure from test to production, configuring the backbone routers to exchange extended community attributes among their iBGP mesh, and developing reports to allow us to better interpret the validation status information.
Initial data from our validator testing, as well as statistics available from NIST's RPKI monitor (see: https://rpki-monitor.antd.nist.gov), show a significant number of routes flagged as invalid. These invalids are mostly deployment "teething", in the form of misconfiguration of the ROAs. Before Internet2 can consider incorporating ROV into our routing strategy, we'll need to ensure the community's use of the technology is reasonably mature.
Some backbone operators, such as AT&T, have been dropping invalid routes for nearly a year. During NANOG 75, AT&T shared their “Steps leading up to ‘drop’ policy” via this lightning talk: https://youtu.be/DkUZvlj1wCk
We hope to have some initial data to share in the coming weeks. Please direct questions or comments to Networkdevelopment@internet2.edu.