changed AS15435 from safe to unsage

[AlexStorm1313]

Update AS15435 from safe to unsafe. Potential proof: #745

[digizeph]

Thanks for the PR.

Here are some additional evidence:

• Lacks of ROV: https://stats.labs.apnic.net/rpki/AS15435
• Still signing all prefixes: https://radar.cloudflare.com/routing/as15435?dateRange=7d

[AlexStorm1313]

@digizeph Is my understanding correct that the prefixes are signed, but not checked by the ISP and is there a way to validate this yourself (locally)?

[digizeph]

@digizeph Is my understanding correct that the prefixes are signed, but not checked by the ISP and is there a way to validate this yourself (locally)?

There are two parts for routing security with RPKI for an ISP:

1. protect its own IP prefixes by signing its prefixes, so that BGP hijackers who attempted to announce its prefixes will be rejected by other networks who filters RPKI invalid announces.
2. protect all other networks by dropping RPKI invalid announcesments received on its routers (i.e. route origin validation (ROV)).

AS15435 used to do both, i.e. sign its routes and filter RPKI invalid announcements. Now it stopped filtering invalid routes and only signs its prefixes.

For checking prefix signing status for any ASN, you can use Cloudflare Radar routing stats page: https://radar.cloudflare.com/routing/as15435?dateRange=7d

For checking RPKI invalid filtering, the check you did you do on isbgpsafeyet.com is the simplest way to do so. You can also check other public measurements to see results from different vantage points: https://stats.labs.apnic.net/rpki/AS15435

Hope this helps.