Hurricane Electric now requires IRR and filters invalid RPKI
If you are a Hurricane Electric customer you may be receiving e-mails like the following:
Dear ASXXX,
Routing Security Report for ASXXX
Hurricane Electric cares about your routing security. We filter all BGP sessions using prefix filters based on IRR and RPKI.
This report is being sent to help you identify prefixes which may need either their IRR or RPKI information created or updated
and to also help you identify possibly hijacked routes you may be accepting and reannouncing.
Routes with RPKI status INVALID_ASN strongly indicate a serious problem.
IPv4 SUMMARY
Routes accepted: 3
Routes rejected: 3
Routes with RPKI status VALID: 0
Routes with RPKI status INVALID: 0
IPv6 SUMMARY
Routes accepted: 1
Routes rejected: 0
Routes with RPKI status VALID: 0
Routes with RPKI status INVALID: 0
We currently do not have a valid as-set name for your network. Please add an export line to your aut-num ASXXXX
that references your as-set name. For example,
export: to AS-ANY announce your-as-set-name
If you do not currently have an as-set, we recommend you create one named ASXXXX:AS-ALL
Your as-set should contain just your ASN and your customers' ASNs and/or as-sets (not your peers or upstream providers).
What does this mean for you as a service provider? If you use Hurricane Electric as transit or peer with them on an exchange you will need to have ROAs for your blocksand have routing registry objects. I did a tutorial based upon Arin which can be found at: https://blog.j2sw.com/networking/routing-registries-and-you/
In short you need to do the following:
- Create a
mntner
object (equivalent of a user account) to give you the ability to create IRR objects in your selected IRR database - Create an
aut-num
to represent your autonomous system and describe its contact information (admin and technical) and your routing policy - Create an
as-set
to describe which autonous system numbers your peers should expect to see from you (namely your own and your transit customers) - Create a
route
/route6
object for every prefix originated from your network - Update your peeringdb profile to include your IRR peering policy
- Generate RPKI https://www.arin.net/resources/manage/rpki/roa_request/#creating-a-roa-in-arin-online
Clarification:
Some folks are confusing having valid ROAs with your router supporting RPKI with route origin validation in real-time. These two are separate things. You create ROA records with your RIR, such as ARIN, which has nothing to do with route validation on your router.
Also, HE is filtering any RPKI INVALID routes. Does this mean they are requiring RPKI? You be the judge.
https://j2sw.com
https://startawisp.info
https://indycolo.net
#packetsdownrange #routethelight
2 thoughts on “Hurricane Electric now requires IRR and filters invalid RPKI”
Comments are closed.