deploying RPKI based Origin Validation

Mark Tinka mark.tinka at seacom.mu
Sat Jul 14 04:54:35 UTC 2018


On 13/Jul/18 18:37, Job Snijders wrote:

> That is exactly what I mean. Because of the golden rule "most-specific
> always wins" (and parts of the AS_PATH are pretty easy to spoof) it
> only makes sense to me to completely reject invalid routes.

Exactly my preference, and exactly what we did for 2 years. But in
practice, customers don't really like this, nor does your CFO.

We need mass deployment for this to work effectively, and also a bit
more education for those that sign aggregates but not the more-specifics.

Mark.



More information about the NANOG mailing list