Border Gateway Protocol and RPKI key usage with your ISP

Archive
1

BGP is the protocol that allows the internet to continue expanding, as such. It was NOT created with security as a focus. Below are a few links for those interested to test their ISP for implementation of RPKI key protections at the provider level. A listing of the ISP's known to have this implemented are also shown. Cloudflare also provides a blog on the subject matter as well. Thus, the reason I have preferred Cloudflare DNS on my network and devices for some time now. Your personal choice and mileage will vary depending on your security needs.

What is BGP and RPKI?
https://isbgpsafeyet.com/#what-is-rpki

Test your ISP for BGP and implementation of RPKI keys:
https://isbgpsafeyet.com/

Cloudflare Blog: 
https://www.cloudflare.com/learning/security/glossary/what-is-bgp/

Better security makes for happier computing experiences!

SA

2

ARIN, will perform a "surprise" RPKI take down sometime in the month of July as a test to see how providers will or don't use fall back implementation if RPKI ever goes down. Bleeping Computer once again has the article available.

SA

3

Indeed it does. The exact opposite of what I'm seeing indeed. Region conflicts maybe? 

 

4

Without using Norton VPN I get:

When using Norton VPN connected to Australia I get this:

 

I hope that clears things up.

5

My router is set with both IPv4&6 enabled ( FIOS ). I cannot disable IPv6 internally due to constaints FIOS has on Triple Play packages which include TV & VOIP. I DO have CloudFlare DNS values set in the G3100 router. Below are my test results from the BGP ISP test link. Reference to the N360 VPN are, that it and CloudFlare itself prevents some things at the device level. I'm showing that my ISP isn't in compliance per the screenshots. THAT is the issue being presented on my end. Other ISP's may get different results, there is also a listing on ISP's who ARE RPKI compliant in the article.

bgp failiure verizon.pngmy bgp test results for verizon.pngSince Norton Services uses Amazon Web Services, this screenshot shows the Norton VPN "enabled" and the BGP test performed. It passes due to the use of AWS. Hope that clears things up a bit.

pgb test with norton vpn enabled.png

SA

6

I'm not talking about leaks but the test you posted above.

https://isbgpsafeyet.com/

No I'm not using CloudFare DNS.  I'm using my IPS's IPv4 and CleanBrowsing IPv6 in my router.

7

Are you using CloudFlare DNS? I will check the VPN my side to validate on my end. 

Edited: VPN enabled and region set to Canada, IPv4 & 6 do not leak.

SA

8

Without using Norton's VPN my ISP passes, but if I test while using Norton VPN it fails.