RPKI and offline routes

• Previous message (by thread): RPKI and offline routes
• Next message (by thread): NANOG67 - Tipping point of community and sponsor bashing?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

ASN 0 is used for this purpose.
Look for the word "zero" in
https://tools.ietf.org/html/rfc6907

Thanks,
Jakob.

> Date: Mon, 13 Jun 2016 17:53:45 -0500 (Central Sommerzeit)
> From: Matthias Waehlisch <m.waehlisch at fu-berlin.de>
> To: Theodore Baschak <theodore at ciscodude.net>
> Cc: NANOG Operators' Group <nanog at nanog.org>
> Subject: Re: RPKI and offline routes
> 
> Hi,
> 
>   the creation of a ROA does not require the announcement of the prefix.
> Creation of a ROA, prefix announcement, and validation of the prefix are
> decoupled. If you are the legitimate resource holder you can create a
> ROA for this prefix (even if you don't advertise the prefix). As soon as
> the prefix is advertised, third parties can validate based on the
> created ROA.
> 
>   However, in case the hijacker is able to use the legitimate origin
> ASN, the validation outcome would be valid. You would need to assign the
> prefix to an ASN that cannot be hijacked or is dropped for other
> reasons. (Or do BGPsec. ;)
> 
> 
> Cheers
>   matthias
> 
> On Mon, 13 Jun 2016, Theodore Baschak wrote:
> 
> > Can RPKI be used with routes that are not being advertised at the moment?
> > As in to sign a route that *could* be there, but is not there presently.
> >
> > There's been several BGP hijacks that I've followed closely that
> > involved hijacking IP space as well as the ASN that would normally
> > originate it. I'm wondering if having valid ROAs/RPKI would have
> > helped in this case or not.
> >
> >
> > Theodore Baschak - AS395089 - Hextet Systems
> >

• Previous message (by thread): RPKI and offline routes
• Next message (by thread): NANOG67 - Tipping point of community and sponsor bashing?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]