isbgpsafeyet.com icon indicating copy to clipboard operation
isbgpsafeyet.com copied to clipboard
verified publisher icon cloudflare

Automate test using ripe atlas network

Open kroeckx opened this issue 5 years ago • 5 comments

The ripe atlas network has many probes all over the world. It should be possible to use that to get information about many of the networks.

kroeckx avatar Apr 20 '20 13:04 kroeckx

Hi @kroeckx, We're use this :) , but it's not automated We ran a few probes https://atlas.ripe.net/measurements/?page=1&search=target:invalid.rpki.cloudflare.com#tab-traceroute and we got satisfying results.

lspgn avatar Apr 20 '20 20:04 lspgn

So thinking about this some more, I think this allows us to find who is filtering, and who is not.

If needed, I can run a larger measurements, and then process that data.

But I have no idea how to find out if they're signing or not. Maybe it's useful to split that column in 2?

kroeckx avatar Apr 20 '20 21:04 kroeckx

There is a risk of encountering the issue mentioned in #105 . If you manage to run a continuous test, we'll definitely use the data but I cannot give any timeline.

For signing checks: our portal has data: https://rpki.cloudflare.com/?view=bgp&prefix=&asn=13335&validState=Valid But this also requires to map an organization which owns the IPs (in a certificate) to the actual ISP.

lspgn avatar Apr 20 '20 22:04 lspgn

I'm not sure what you mean with the last sentence, or that the difference between the ISP and the AS is important.

kroeckx avatar Apr 20 '20 22:04 kroeckx

The network originating the BGP announcements is not always the owner of the IP addresses. But in general, checking if the prefixes an ASN announce are signed is a good-enough metric.

lspgn avatar Apr 21 '20 00:04 lspgn