[arin-ppml] implementing RPKI prefix validation actually increases risk

William Herrin bill at herrin.us
Tue Jun 6 02:11:59 EDT 2023

On Mon, Jun 5, 2023 at 7:29 PM Michel Py via ARIN-PPML
<arin-ppml at arin.net> wrote:
> As many others here do, I use BGP blackhole feeds (RTBH). This technique has been around for a long time.
> It is quite a common situation in some orgs to have the in-house SIEM/IDS redistribute blackhole prefixes via a BGP feed.

Hi Michel,

I believe you can set up an in-house trust anchor and use it to sign
the routes you distribute internally. Then your routers would consider
the RBL routes to be RPKI valid.

But wouldn't this be a more appropriate discussion for an operations
mailing list like NANOG or a Cisco-specific mailing list? There's not
really anything ARIN can do about how Cisco implements RPKI.

Bill Herrin

William Herrin
bill at herrin.us

More information about the ARIN-PPML mailing list