Analysing traffic in context of rejecting RPKI invalids using pmacct

• Previous message (by thread): GPS rollover
• Next message (by thread): Analysing traffic in context of rejecting RPKI invalids using pmacct
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Feb 12, 2019 at 1:15 PM Job Snijders <job at ntt.net> wrote:

>
>
> ps. Dear Kentik & Deepfield, please copy+paste this feature! We'll
> happily share development notes with you, you can even look at pmacct's
> source code for inspiration. :-)
>


Thanks Job, I just wanted to reach back out to you and the NANOG community
that we've implemented this feature. Currently Kentik can match flow data
with the following validation state:

- VALID = Prefix fits in ROA, and ROA ASN and Prefix Origin Match
- UNKNOWN = we haven't found any matching ROA
- INVALID - ASN mismatch = BGP prefix fits in the ROA prefix's length BUT
the ROA ASN differs from the Prefix Origin ASN
- INVALID - Prefix length out of bounds = the BGP prefix doesn't have an
ROA with large enough Max-Length to refer to
- INVALID - ASN 0 specified = there is a matching ROA w/ the right
max-length but the ASN associated w/ it is 0 (explicit invalid)

If anyone would like more information please hit me up offline.

-Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190311/855c86d0/attachment.html>

• Previous message (by thread): GPS rollover
• Next message (by thread): Analysing traffic in context of rejecting RPKI invalids using pmacct
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]