As many of you might know, DE-CIX plans to deploy RPKI at the DE-CIX route servers. With this step, we want to increase the security of the Internet routing system and support the adoption of RPKI. The adoption is essential to Internet security, and the benefits will be visible from day one for all peers and their customers.
Working on a solution based on customer feedback
As the combination of RPKI and Blackholing might increase the operational burden, the initial deployment announcement on the DE-CIX tech mailing list caused discussions about how to implement the feature. Based on this customer feedback, we are working on a deployment solution that works best for our customers. DE-CIX’s CTO, Dr Thomas King, and our team has spoken with customers on several occasions like NANOG and at the RPKI round table at the Cloudflare office in mid-February, where different options were presented and received positive feedback.
3 options being discussed
The options that are currently being discussed are listed on github:
Strict RPKI Origin Validation Filtering incl. Blackholes
No RPKI Origin Validation Filtering for Blackholes
Strict RPKI Origin Validation Filtering for Non-Blackholes and Loose RPKI Origin Validation Filtering on Blackholes
More details can be found here.
At the moment, it looks like option 3 is the preferred one. Feedback from DE-CIX customers is highly appreciated: please let us know your thoughts by the end of February.
We will keep you posted about the deployment and the exact implementation. If you have any questions, please do not hesitate to contact us. RPKI will be implemented at all DE-CIX exchanges except our exchanges in India, and the exchanges in Berlin and Moscow.