deploying RPKI based Origin Validation

Mark Tinka mark.tinka at
Sat Jul 14 04:54:35 UTC 2018

On 13/Jul/18 18:37, Job Snijders wrote:

> That is exactly what I mean. Because of the golden rule "most-specific
> always wins" (and parts of the AS_PATH are pretty easy to spoof) it
> only makes sense to me to completely reject invalid routes.

Exactly my preference, and exactly what we did for 2 years. But in
practice, customers don't really like this, nor does your CFO.

We need mass deployment for this to work effectively, and also a bit
more education for those that sign aggregates but not the more-specifics.


More information about the NANOG mailing list