Search
Menu
Home / Our Network / BGP & Routing / Routing Security

Routing Security

Last Updated: 2020-02-04

COMMITTED TO THE FUTURE AND STABILITY OF THE INTERNET

Here at Telia Carrier, we take our responsibility to secure Internet Routing very seriously. Through a mix of industry best practices, our systems, and well-crafted policies, we minimize the chances of common routing threats, including BGP Hijacks and Route Leaks.

PROUD MEMBER OF MANRS

In our efforts to improve Internet routing security, we have joined MANRS, which is a global initiative, supported by the Internet Society, that provides essential fixes to reduce the most common routing threats.

As part of our membership with MANRS, Telia Carrier commits to adhere to four concrete actions to reduce routing threats:

1. Filtering

2. Anti-Spoofing

3. Coordination

4. Global Validation

visit manrs

Have a look at the excellent MANRS observatory tool!

RPKI - RESOURCE PUBLIC KEY INFRASTRUCTURE

RPKI is a method to help prevent BGP hijacking and Route Leaks. It uses cryptographic signatures to validate that an ASN is allowed to announce a particular Prefix. Telia Carrier’s ASN, AS1299, has deployed RPKI Route Validation and Filtering. We reject RPKI Invalids on all BGP Sessions; for both Peers and Customers.

PLEASE NOTE: It is not our intention to do anything other than filter out Invalids – we will not be rejecting Unknowns. 

RPKI State Description Recommended Action 

Valid

Correct IP/masklength from the correct origin AS according to the ROA.

All good. No need to do anything.

Unknown

No ROA registered.

We recommend customers to register ROAs to protect their address space but it's not required.

Invalid

Incorrect masklength and/or origin AS according to the registered ROA.

The address space owner should correct the ROA.

RPKI VALIDATORS

We’ve been working hard on testing our validator infrastructure to ensure it is stable and scalable for a network of our size. In total, we have four validators deployed, two in North America and two in Europe, running two different versions of software. Each edge router has RTR sessions with each of the validators, giving us an extremely resilient deployment.

 

Useful Resources

Have a look at Telia Carrier’s BGP Looking Glass to see the status of learned prefixes.

Visit Looking Glass

RPKI Documentation Library - a great starting point on what RPKI is all about!

Visit Documentation Library

Look up validated ROAs

Visit the RPKI Validator

Analysis tool for more details on covering prefixes.

Visit the Analysis Tool

 

BGP PREFIX FILTER UPDATES

All eBGP Sessions have their filters automatically updated by our own “BGP Filter Server” Tool. This process runs twice daily; at 0700 and 2100 CET. For urgent updates needed between these times, customers can contact our Customer Service Center. A policy (AS or AS-set) registered in an IRR database is needed to build filters. We provision prefix filters by default and encourage customers to create and keep their IRR records updated.

The filter server mirrors a total of 25 IRR databases. In case an AS-set exists in multiple databases, the default IRR query order is: RADB, AFRINIC, RIPE, RIPE-NONAUTH, BELL, APNIC, NTTCOM, ALTDB, PANIX, RISQ, NESTEGG, LEVEL3, REACH, AOLTW, OPENFACE, ARIN, OTTIX, EASYNET, JPIRR, HOST, RGNET, ROGERS, BBOI, TC, and CANARIE. Route objects from all IRR sources will be candidates for prefix filters.

IP ADDRESS ALLOCATION 

The Regional Internet Registries, AFRINIC, APNIC, ARIN, LACNIC, and RIPE, manage IP address allocations. All of these, except LACNIC, have an IRR where an operator that has received resources (AS numbers and IP addresses) from that RIR can register RPSL data (aut-num, as-set, and route-object). We recommend customers to maintain relevant RPSL information for their allocations in respective RIR.

All customers should have the ability to create relevant RPSL objects except for those that are in the LACNIC region. RADB is the most commonly used IRR alternative, but ALTDB can also be used. All RIRs, including LACNIC, also have the option to create RPKI ROAs. We include ROA information (very similar to routeobjects) in our prefix filters. In that way, we cover and can build prefix-filters for all IP addresses allocated across every region.

LOADING...
    LOADING...