deploying RPKI based Origin Validation

Michel Py at
Wed Jul 18 19:30:48 UTC 2018


>> Michel Py wrote:
>> If I understand this correctly, I have a suggestion : update these files at a regular interval (15/20 min) and make them available for download with a fixed name
>> (not containing the date). Even better : have a route server that announces these prefixes with a :666 community so people could use it as a blackhole.
>> This would not remove the invalid prefixes from one's router, but at leat would prevent traffic from/to these prefixes.
>> In other words : a route server of prefixes that are RPKI invalid with no alternative that people could use without having an RPKI setup.
>> This would even work with people who have chosen do accept a default route from their upstream.
>> I understand this is not ideal; blacklisting a prefix that is RPKI invalid may actually help the hijacker, but blacklisting a prefix that is RPKI invalid AND that has no
>> alternative could be useful ? Should be considered a bogon.

> Mark Tinka wrote :
> Hmmh - I suppose if you want to do this in-house, that is fine. But I would not recommend this at large for the entire BGP community.

Agree; was trying to to this is the spirit of this:
As any blocklist, it should not be default and should be left to the end user to choose if they use it or not.

> The difference is you are proposing a mechanism that uses existing infrastructure within almost all ISP's (the BGP Community) in lieu of deploying RPKI.

Not in lieu, but when deploying RPKI is not (yet) possible.
My routers are not RPKI capable, upgrading will take years (I'm not going to upgrade just because I want RPKI).
My upstreams don't do RPKI, I'm trying to convince them but I'm talking to deaf ears.
What do I have left : using a subset of RPKI as a blackhole :-(

> I can't quite imagine the effort needed to implement your suggestion,

Not much at all, I was actually trying you do do the RPKI part for me ;-)
This script you wrote, to produce the list of prefixes that are RPKI invalid AND that do not have any alternative, make it run every x minutes on a fixed url (no date/time in name). I will fetch it, inject it in ExaBGP that feeds my iGP and voila, done.
Who wants to use it can, not trying to impose it on the entire BGP community.

> but I'd rather direct it toward deploying RPKI. At the very least, one just needs reputable RV software, and router code that support RPKI RV.

We probably have to wait until attrition brings us routers that have said code.


TSI Disclaimer:  This message and any files or text attached to it are intended only for the recipients named above and contain information that may be confidential or privileged. If you are not the intended recipient, you must not forward, copy, use or otherwise disclose this communication or the information contained herein. In the event you have received this message in error, please notify the sender immediately by replying to this message, and then delete all copies of it from your system. Thank you!...

More information about the NANOG mailing list