[FCIX] RPKI Rollout on FCIX

Kenneth Finnegan kenneth at fcix.net
Thu Oct 31 11:28:04 PDT 2019 

Greetings,

Lots of movement on lots of things from NANOG77, but one of the many
pieces of news is that Job managed to corner me in a bar and talk my
ears off about RPKI route origin authentication, which is quite
on-brand for him...

I plan to turn on RPKI filtering within the next few days in the FCIX
route servers, which means the following for you:
1. If you have never touched RPKI, or don't even know what it is, or
do know what it is and can't be bothered to do anything with it, this
won't impact you.
2. If you have created RPKI ROAs for all of your prefixes, this change
will start protecting your prefixes on the FCIX route servers!
3. If there exist ROAs for your prefixes, and they're not all up to
date, THE FCIX ROUTE SERVERS WILL SOON START REJECTING YOUR PREFIXES.

If you think that this configuration change will cause you operational
issues, feel free to give me a shout if you'd like us to delay that
roll-out.

I have also submitted requests to ARIN for AS0 origin ROAs to be
created for the FCIX prefixes. (206.80.238.0/24 and 2001:504:91::/48)
This *should* have no operational impact for you, and if you aren't
interested, you can stop reading this email... NOW.

The concept of using AS0 ROAs is explained in RFC 7607
(https://tools.ietf.org/html/rfc7607) and is basically an
authenticated statement from FCIX saying that our prefixes should
never be visible in the Internet BGP table anywhere. Our address
blocks are only for IP connectivity between members directly connected
to the exchange, and there is no reason for anyone else to ever need
to route traffic with a destination of FCIX.

The one problem this does create is that if you're operating a network
connected to FCIX and have other routers inside your AS which need to
know how to route across FCIX, you'll need to do one of two things:
1. Configure your BGP speaker connected to FCIX to set next-hop to
itself on FCIX routes so other routers inside your AS can use your IGP
(interior gateway protocol) to route to your edge router. (This is the
recommended solution since it prevents even your customers from
reaching the FCIX prefixes)
2. Carry the FCIX prefixes on your IGP across your whole AS, and make
sure not to re-export them to any of your BGP peers. (Not recommended;
looking at you, FCIX members who have already accidentally leaked our
address space back over to BGP).

More news about progress on other fronts from NANOG to come soon!
--
Kenneth Finnegan
Technical Director, FCIX

More information about the Members mailing list