Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

changed AS15435 from safe to unsage #746

Merged
merged 2 commits into from
Jun 3, 2024

Conversation

AlexStorm1313
Copy link
Contributor

Update AS15435 from safe to unsafe. Potential proof: #745

@digizeph digizeph self-assigned this Jun 3, 2024
@digizeph
Copy link
Collaborator

digizeph commented Jun 3, 2024

Thanks for the PR.

Here are some additional evidence:

image
image

data/operators.csv Outdated Show resolved Hide resolved
@digizeph digizeph added verified: signed AS has signed all their prefixes verified: not filtering Tests showing the AS does not filter RPKI invalid routes status: pending response Pending response from the issue/PR opener labels Jun 3, 2024
add signed column

Co-authored-by: Mingwei Zhang <digizeph@users.noreply.github.com>
@AlexStorm1313
Copy link
Contributor Author

@digizeph Is my understanding correct that the prefixes are signed, but not checked by the ISP and is there a way to validate this yourself (locally)?

@digizeph
Copy link
Collaborator

digizeph commented Jun 3, 2024

@digizeph Is my understanding correct that the prefixes are signed, but not checked by the ISP and is there a way to validate this yourself (locally)?

There are two parts for routing security with RPKI for an ISP:

  1. protect its own IP prefixes by signing its prefixes, so that BGP hijackers who attempted to announce its prefixes will be rejected by other networks who filters RPKI invalid announces.
  2. protect all other networks by dropping RPKI invalid announcesments received on its routers (i.e. route origin validation (ROV)).

AS15435 used to do both, i.e. sign its routes and filter RPKI invalid announcements. Now it stopped filtering invalid routes and only signs its prefixes.

For checking prefix signing status for any ASN, you can use Cloudflare Radar routing stats page:
https://radar.cloudflare.com/routing/as15435?dateRange=7d

For checking RPKI invalid filtering, the check you did you do on isbgpsafeyet.com is the simplest way to do so. You can also check other public measurements to see results from different vantage points:
https://stats.labs.apnic.net/rpki/AS15435

Hope this helps.

@digizeph digizeph merged commit f4c7133 into cloudflare:master Jun 3, 2024
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
status: pending response Pending response from the issue/PR opener verified: not filtering Tests showing the AS does not filter RPKI invalid routes verified: signed AS has signed all their prefixes
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants