deploying RPKI based Origin Validation

Mark Tinka mark.tinka at
Fri Jul 13 12:53:30 UTC 2018

On 13/Jul/18 14:43, Job Snijders wrote:

> Have you considered applying "invalid == reject" on just transit/peering
> sessions rather than customer sessions as an intermediate step? I bet
> most misconfigurations or hijacks didn't come in via your customers.

Yes, we did. The issue is some of our customers did ROA their
aggregates, but not the more-specifics. We didn't want to get into a
situation where we had to custom-design templates depending on what RPKI
mood the customer was in :-).

But yes, the majority of the issue was with routes learned from peers
and transit. That, though, still leaves the problem where you end up
providing a partial routing table to your customers, while your
competitors in the same market aren't. Most customers that aren't keen
on IPv6 or DNSSEC treat RPKI the same way - as a nuisance. So trying to
speak sense into them would be a more treacherous road to take than just
turning it off until we get wider support within the BGP operational


More information about the NANOG mailing list