deploying RPKI based Origin Validation

Michel Py at
Tue Jul 17 18:33:59 UTC 2018

> Job Snijders wrote :
>I calculated this here few days ago
> Markus Weber from KPN is generating a daily report here and drew similar
> conclusions: Markus scrapes all
> routes from the AS 286 PEs and marks the routes for which no valid or
> unknown alternative exists as "altpfx=NONE".

If I understand this correctly, I have a suggestion : update these files at a regular interval (15/20 min) and make them available for download with a fixed name (not containing the date).
Even better : have a route server that announces these prefixes with a :666 community so people could use it as a blackhole.

This would not remove the invalid prefixes from one's router, but at leat would prevent traffic from/to these prefixes.
In other words : a route server of prefixes that are RPKI invalid with no alternative that people could use without having an RPKI setup.
This would even work with people who have chosen do accept a default route from their upstream.

I understand this is not ideal; blacklisting a prefix that is RPKI invalid may actually help the hijacker, but blacklisting a prefix that is RPKI invalid AND that has no alternative could be useful ?
Should be considered a bogon.


TSI Disclaimer:  This message and any files or text attached to it are intended only for the recipients named above and contain information that may be confidential or privileged. If you are not the intended recipient, you must not forward, copy, use or otherwise disclose this communication or the information contained herein. In the event you have received this message in error, please notify the sender immediately by replying to this message, and then delete all copies of it from your system. Thank you!...

More information about the NANOG mailing list