I believe firmly that we can make the Internet a safer place again. Not only that, I believe that ISPs have an obligation to make it safer. We have started already, by implementing RPKI Validation. And I will tell you why you should not be afraid to do that also.
During the last NLNOG Day, routing security was the major topic under discussion. And I am happy to tell you that we – Dutch network operators – are doing a pretty good job. The research presented showed that of all the networks performing resource validation, the vast majority are right here in our own backyard. Pretty cool!
However: of that vast majority, most have taken only the first step which is signing their own prefixes with a ROA. There are only a few ISPs that have also taken the second step and implemented RPKI, so they actually validate BGP announcements. We are one of them. And although it is nice to be in the forefront, we do need more networks to implement RPKI validation if we want it to be really effective. We hear that on a management level, some companies are afraid to implement resource validation.
The main reason is that ISPs feel that they always have to make sure that any IP address is reachable, no matter what, and that if they can’t deliver traffic, they provide bad service. With resource validation, a very small part of the Internet becomes unreachable indeed – but that is only because these are most certainly hijacked prefixes. I think a customer would rather hear from you that you provide no reachability to a certain IP address because it can harm them, then that you have to tell them that the people behind that IP address were hijacking it to obtain data of your customer’s end users!
Since we have implemented RPKI Validation in July of this year, we have had only a handful of cases where customers reported to be unable to reach certain IP addresses. Considering that we drop a few thousand IP address ranges, the vast majority of these must be IP space that our customers don’t want to communicate with anyway.
Easier to check, easier to fix
Our thinking is that RPKI fixes liability issues: a customer could come to you and ask why you did not do everything to prevent a connection with an IP address block that is ‘clearly’ hijacked. This is why we feel that it would be best for the Internet if more ISPs would implement RKPI Validation. In the end, RPKI validation is like vaccinating. The more systems are immune to bad BGP announcements, the safer the Internet gets. And you know what? It seems like more people feel this way. I noticed after I gave my presentation during the NLNOG Day. We had a lot of people come up to us, to talk about implementing RKPI validation.
Do you want to see my ‘persuasion’ skills? Then you are in luck, because the presentation was taped. You can watch it below.