[arin-ppml] implementing RPKI prefix validation actually increases risk

Job Snijders job at fastly.com
Tue Jun 6 10:23:27 EDT 2023

Hi Michel,

On Tue, Jun 06, 2023 at 02:29:35AM +0000, Michel Py via ARIN-PPML wrote:
> The problem here is that RPKI validation is at the very top of the BGP
> bestpath decision process, before weight and local-preference, without
> any way to change that.

Can you share your device's network configuration?

It sounds to me that you configured your devices to apply RPKI-ROV and
reject RPKI-invalid routes coming in via the blackhole BGP sessions, and
now are surprised that RPKI-invalid routes are rejected on the blackhole
BGP sessions.

You could configure your devices to not do RPKI-ROV on the blackhole BGP
sessions (essentially granting the blackhole BGP server unfiltered
access into your network), and continue to do RPKI-ROV on all other EBGP
sessions (transit, peering, private peering, customer facing).

> I am not deploying it because I don't want it or don't understand it,
> I am not deploying it because it simply does not work for me.

Please keep an open mind that there might be a misunderstanding

Kind regards,


More information about the ARIN-PPML mailing list