As we are deploying RPKI validation and filtering in our AS 5511 network in order to improve the security and resilience of the Internet’s global routing system, here are some recommendations to help you prepare your network and prevent your traffic from being blocked.
RPKI is an IETF standard framework designed to:
RPKI is a security framework, which provides an out-of-band system in order to validate BGP prefixes advertised by networks constituting the Internet.
Click here for more details on how RPKI works
1. You need to verify the BGP prefixes you advertise to the internet against your Route Origin Authorization (ROA) data and correct any inconsistencies in order to avoid potential traffic impact. If needed, Orange will help you to identify problematic BGP prefixes.
2. We also encourage you to secure the IP address space that your network holds by creating corresponding ROAs. This will protect your business, and the Internet, from hijacking attempts and/or some potential routing incidents.
ROAs must be created with any one of the 5 Regional Internet Registries (RIR):
3. Before applying any change to the BGP architecture in your network, make sure there is consistency between the BGP advertisements and the ROAs.
4. Finally, you might want to deploy RPKI validation and filtering in your own network. It is not mandatory, but it adds an additional level of security to your network which ultimately is beneficial to your customers.
Do not forget to check our “BGP best practices for IP Transit customers.”