deploying RPKI based Origin Validation

Mark Tinka mark.tinka at seacom.mu
Wed Jul 18 12:10:56 UTC 2018


On 17/Jul/18 20:33, Michel Py wrote:

> If I understand this correctly, I have a suggestion : update these files at a regular interval (15/20 min) and make them available for download with a fixed name (not containing the date).
> Even better : have a route server that announces these prefixes with a :666 community so people could use it as a blackhole.
>
> This would not remove the invalid prefixes from one's router, but at leat would prevent traffic from/to these prefixes.
> In other words : a route server of prefixes that are RPKI invalid with no alternative that people could use without having an RPKI setup.
> This would even work with people who have chosen do accept a default route from their upstream.
>
> I understand this is not ideal; blacklisting a prefix that is RPKI invalid may actually help the hijacker, but blacklisting a prefix that is RPKI invalid AND that has no alternative could be useful ?
> Should be considered a bogon.

Hmmh - I suppose if you want to do this in-house, that is fine. But I
would not recommend this at large for the entire BGP community.

At any rate, the result is the same, i.e., the route is taken out of the
FIB. The difference is you are proposing a mechanism that uses existing
infrastructure within almost all ISP's (the BGP Community) in lieu of
deploying RPKI.

I can't quite imagine the effort needed to implement your suggestion,
but I'd rather direct it toward deploying RPKI. At the very least, one
just needs reputable RV software, and router code that support RPKI RV.

Mark.


More information about the NANOG mailing list