[arin-ppml] implementing RPKI prefix validation actually increases risk
William Herrin
bill at herrin.us
Tue Jun 6 02:11:59 EDT 2023
On Mon, Jun 5, 2023 at 7:29 PM Michel Py via ARIN-PPML
<arin-ppml at arin.net> wrote:
> As many others here do, I use BGP blackhole feeds (RTBH). This technique has been around for a long time.
> It is quite a common situation in some orgs to have the in-house SIEM/IDS redistribute blackhole prefixes via a BGP feed.
Hi Michel,
I believe you can set up an in-house trust anchor and use it to sign
the routes you distribute internally. Then your routers would consider
the RBL routes to be RPKI valid.
But wouldn't this be a more appropriate discussion for an operations
mailing list like NANOG or a Cisco-specific mailing list? There's not
really anything ARIN can do about how Cisco implements RPKI.
Regards,
Bill Herrin
--
William Herrin
bill at herrin.us
https://bill.herrin.us/
More information about the ARIN-PPML
mailing list