deploying RPKI based Origin Validation

Mark Tinka mark.tinka at seacom.mu
Sat Jul 14 04:46:33 UTC 2018


On 13/Jul/18 17:18, Grant Taylor via NANOG wrote:

>  
>
> Please forgive the n00b question:  But isn't that where carrying the
> prefixes through your network and conditionally advertising them to
> customers comes into play?
>
> Or does that run into complications where you must also have the
> prefixes which don't validate routed in your core?

Carrying prefixes in the network is not an issue, valid or otherwise.

If you act on them as they enter the network in an aggressive manner,
then the other end of an eBGP session will not receive them. That's the
issue. Of course, that's how RPKI is supposed to work, but when you're
the only one doing it, you're shooting your own foot.


>
> The reading I did on RPKI / OV yesterday made me think that it is
> possible to have validated routes preferred over unknown routes which
> are preferred over invalid routes.  So I'd think that you could still
> have the routes through your core but conditionally advertise the
> prefixes to customers based on their desires.

Using LOCAL_PREF to (de)prefer routes based on their validation status
is an idea that has been used since 2014. But for me, it defeats the
purpose if you are going to go soft when trying to implement something
that requires this much resolve to clean up the Internet.

Mark.


More information about the NANOG mailing list