Prepare your network for RPKI validation and  avoid business impacts

As we are deploying RPKI validation and filtering in our AS 5511 network in order to improve the security and resilience of the Internet’s global routing system, here are some recommendations to help you prepare your network and prevent your traffic from being blocked. 

RPKI is a critical lever of security and resilience of the global Internet

RPKI is an IETF standard framework designed to:

• improve the security and resilience of the Internet’s global routing system.
• reduce the risk of accidental BGP routing incidents (route leaks)
• prevent malicious IP resource hijacks

RPKI is a security framework, which provides an out-of-band system in order to validate BGP prefixes advertised by networks constituting the Internet. 
Click here for more details on how RPKI works 

How to prepare for RPKI deployment in your IP provider’s network

1.    You need to verify the BGP prefixes you advertise to the internet against your Route Origin Authorization (ROA) data and correct any inconsistencies in order to avoid potential traffic impact. If needed, Orange will help you to identify problematic BGP prefixes.

2.    We also encourage you to secure the IP address space that your network holds by creating corresponding ROAs. This will protect your business, and the Internet, from hijacking attempts and/or some potential routing incidents.

ROAs must be created with any one of the 5 Regional Internet Registries (RIR): 

• American Registry for Internet Numbers (ARIN)  https://www.arin.net
• Réseaux IP Européens - Network Coordination Centre (RIPE NCC) – https://www.ripe.net
• Asia-Pacific Network Information Centre (APNIC) – https://www.apnic.net
• African Network Information Centre (AFRINIC) – https://www.afrinic.net
• Latin America and Caribbean Network Information Centre (LACNIC) – https://www.lacnic.net

3.    Before applying any change to the BGP architecture in your network, make sure there is consistency between the BGP advertisements and the ROAs.

4.    Finally, you might want to deploy RPKI validation and filtering in your own network. It is not mandatory, but it adds an additional level of security to your network which ultimately is beneficial to your customers.

Do not forget to check our “BGP best practices for IP Transit customers.”