Internet2

close
Use Internet2 SiteID

Already have an Internet2 SiteID?
Sign in here.

Internet2 SiteID

Blogs

Progress Deploying RPKI’s Route Origin Validation in the Internet2 Backbone

Feb 03, 2020, by Steven Wallace
Tags: Advanced Networking, Frontpage News, Security

Internet2 is in the process of deploying Route Origin Validation (ROV) capability within the backbone. Initially, this capability will be used to understand the global R&E community's adoption of RPKI, as well as RPKI deployment among I2PX peers.

Route Origin Validation is a method to verify a route’s origin AS.  By cryptographically signing your routes, you reduce the chance that a mistake or malice, can disrupt or hijack your Internet connection. To learn more about RPKI, as well as other practices to better secure Internet routing, check out: https://www.manrs.org

The deployment tasks include migrating the RPKI validator infrastructure from test to production, configuring the backbone routers to exchange extended community attributes among their iBGP mesh, and developing reports to allow us to better interpret the validation status information.

Initial data from our validator testing, as well as statistics available from NIST's RPKI monitor (see: https://rpki-monitor.antd.nist.gov), show a significant number of routes flagged as invalid. These invalids are mostly deployment "teething", in the form of misconfiguration of the ROAs. Before Internet2 can consider incorporating ROV into our routing strategy, we'll need to ensure the community's use of the technology is reasonably mature.

Some backbone operators, such as AT&T, have been dropping invalid routes for nearly a year. During NANOG 75, AT&T shared their “Steps leading up to ‘drop’ policy” via this lightning talk: https://youtu.be/DkUZvlj1wCk

We hope to have some initial data to share in the coming weeks. Please direct questions or comments to Networkdevelopment@internet2.edu.