|
What is happening?
While many of the ISPs that make up the internet filter routes advertised to them by their customers, there is nothing to stop an ISP accepting routes that belong to someone else and advertising them to the internet. This can make devices hosted on those IP ranges unreachable. It is called route hijacking. To combat this, the global routing registrars are introducing a system called Resource Public Key Infrastructure (RPKI). In this, organisations that own address space can "sign" their routes with a Route Origin Authorization (ROA). This just involves logging into the management web site of the registrar ( http://myapnic.net in the case of APNIC) and creating the record for your address ranges, then selecting the option to enable ROA. Once this is done, Vocus and other ISPs will be able to verify that your routes should have a particular origin Autonomous System Number (ASN) and use that to determine your routes are the correct one. It will also allow us to reject routes that don't match the ROA signed route, so that your routes will be safer from interference. What is RPKI? Resource Public Key Infrastructure (RPKI) is a system where each of the routing registrars allows their customers to specify the origin Autonomous System Number (ASN) that the route will be coming from. ISPs then run a special server that subscribes to these databases, downloading a list of "ROA valid" routes. The ISP then links these routers that make up our network to this server. This means that the routers know a list of valid routes. Any route that is receives that doesn't match the correct ASN origin of a listed valid route is marked as "ROA invalid", then dropped. Routes that are not signed are marked as "ROA unknown". Fore now, these routes are still accepted and treated as normal, but it is difficult for the ISPs to determine if they are valid or not and we have no way to prevent them from being hijacked. How do I verify if my route has been signed correctly? Once you have selected the ROA option for your routes with your registrar, you can check what Vocus is seeing to confirm the routes are correct. This is done using the Vocus looking glass ( http://tools.vocus.com.au/lg). You need to select the BGP option and enter the subnet you are interested in: for example 121.200.224.0
|