Feature: Hardening BGP

[bbros-dev]

Place holder to track initial scope and references.

Issues:

• Are there any standards guidance on the 'special'/private networks CIAB utilizes.
• What additional security/functionality is added for CIAB use cases - or is the value educational alone - which is enough (IMO).
  • [/] Route-Origin-Validation (ROV): RPKI
    • Without RPKI ".. deliberately or accidentally, networks are able to advertise more specific prefix routing information for address space controlled by other networks to their peers over BGP, which causes that traffic to flow through their network instead of to the intended recipient"[1]. No definite source that says BGP hard-codes protection for private address spaces against this type of "deliberately or accidentally" occurring event.
      • Use-case: In addition to external "deliberately or accidentally" occurring events; segmenting development/test/staging/production networks.
      • RPKI to Route (RTR) implementations:
        • Routinater: Recommended.[2]
        • RIPE NCC Validator
        • Cloudflare OktoRPKI
        • FORT
  • BGPSec
• MANRS: Mutually Agreed Norms for Routing Security
  • Review MANRS implementation guide for compliance and suggestions.

References:

• RPKI and BGPSec
• RPKI to Router (RTR): Routinator
• 1
• 2

[bbros-dev]

Unfortunately, we no longer have time to devote to resolving this issue. Closing, but happy for anyone to reopen - we didn't want to be thought of just opening up to-do lists for others.