deploying RPKI based Origin Validation

Michel Py at
Wed Jul 18 20:16:15 UTC 2018

> Job Snijders wrote :
> Can you elaborate what routers with what software you are using? It surprises
> me a bit to find routers anno 2018 which can't do OV in some shape or form.

They're not anno 2018 ! Cisco 3900 with 4 Gigs. Good enough for me, with the current growth of the DFZ I may have 10 years left before I need to upgrade. Probably will upgrade before that caused to bandwidth, but as of now works good enough for me and upgrading just to get OV is going to be a tough sell.

>> What do I have left : using a subset of RPKI as a blackhole :-(
> If you implement 'invalid == blackhole', and cannot do normal OV - it seems to me that
> you'll be blackholing the actual victim of a BGP hijack? That would seem counter-productive.

I would indeed, but the intent was a subset of invalid : the invalid prefixes that nobody _but_ the hijacker anounces, so blackholing does not hurt the real owner.
In other words : un-announced prefixes that have been hijacked. These are not into bogon lists because they are real.

Now I have no illusions : this is not going to solve the world's problems, how many of these are actually announced and how will that play in the longer term are questionable, but would not that be worth a quick shot at it ?


More information about the NANOG mailing list