On 2020-03-26 02:09, Job Snijders wrote:
Exciting news! Today NTT's Global IP Network (AS 2914) enabled RPKI
based BGP Origin Validation on virtually all EBGP sessions, both
customer and peering edge. This change positively impacts the Internet
routing system.
Hello Job,
It is the word "virtually" that triggers me :), because in my mind it
translates to "not all of them". Why haven't you enabled it on all our
EBGP sessions? And doesn't this make enabling it on the rest of the
validation less useful? Because if an invalid announcements is received
on an EBGP session without RPKI validation, doesn't it propagate trough
the rest of the network via iBGP, and thus make the hijack reachable for
all of NTT?
I'm sure you guys thought about this, but I'm just wondering what you
did to prevent the scenario I just described :).
Thanks for making the world a safer place!
Kind regards,
Tijn Buijs
