Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

changed AS15435 from safe to unsage #746

Merged
merged 2 commits into from
Jun 3, 2024
Merged

changed AS15435 from safe to unsage #746

merged 2 commits into from
Jun 3, 2024

Conversation

AlexStorm1313
Copy link
Contributor

Update AS15435 from safe to unsafe. Potential proof: #745

@digizeph digizeph self-assigned this Jun 3, 2024
@digizeph
Copy link
Collaborator

digizeph commented Jun 3, 2024

Thanks for the PR.

Here are some additional evidence:

image
image

digizeph
digizeph reviewed Jun 3, 2024
View reviewed changes
data/operators.csv Outdated Show resolved Hide resolved
@digizeph digizeph added verified: signed AS has signed all their prefixes verified: not filtering Tests showing the AS does not filter RPKI invalid routes status: pending response Pending response from the issue/PR opener labels Jun 3, 2024
@AlexStorm1313 @digizeph
Update data/operators.csv
e8b2f9f 
add signed column

Co-authored-by: Mingwei Zhang <[email protected]>
@AlexStorm1313
Copy link
Contributor Author

@digizeph Is my understanding correct that the prefixes are signed, but not checked by the ISP and is there a way to validate this yourself (locally)?

@digizeph
Copy link
Collaborator

digizeph commented Jun 3, 2024
edited
Loading

@digizeph Is my understanding correct that the prefixes are signed, but not checked by the ISP and is there a way to validate this yourself (locally)?

There are two parts for routing security with RPKI for an ISP:

  1. protect its own IP prefixes by signing its prefixes, so that BGP hijackers who attempted to announce its prefixes will be rejected by other networks who filters RPKI invalid announces.
  2. protect all other networks by dropping RPKI invalid announcesments received on its routers (i.e. route origin validation (ROV)).

AS15435 used to do both, i.e. sign its routes and filter RPKI invalid announcements. Now it stopped filtering invalid routes and only signs its prefixes.

For checking prefix signing status for any ASN, you can use Cloudflare Radar routing stats page:
https://radar.cloudflare.com/routing/as15435?dateRange=7d

For checking RPKI invalid filtering, the check you did you do on isbgpsafeyet.com is the simplest way to do so. You can also check other public measurements to see results from different vantage points:
https://stats.labs.apnic.net/rpki/AS15435

Hope this helps.

@digizeph digizeph merged commit f4c7133 into cloudflare:master Jun 3, 2024
2 checks passed
@digizeph digizeph mentioned this pull request Jun 3, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@digizeph digizeph digizeph approved these changes

Assignees

@digizeph digizeph

Labels
status: pending response Pending response from the issue/PR opener verified: not filtering Tests showing the AS does not filter RPKI invalid routes verified: signed AS has signed all their prefixes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@AlexStorm1313 @digizeph