[arin-ppml] implementing RPKI prefix validation actually increases risk
Job Snijders
job at fastly.com
Tue Jun 6 10:23:27 EDT 2023
Hi Michel,
On Tue, Jun 06, 2023 at 02:29:35AM +0000, Michel Py via ARIN-PPML wrote:
> The problem here is that RPKI validation is at the very top of the BGP
> bestpath decision process, before weight and local-preference, without
> any way to change that.
Can you share your device's network configuration?
It sounds to me that you configured your devices to apply RPKI-ROV and
reject RPKI-invalid routes coming in via the blackhole BGP sessions, and
now are surprised that RPKI-invalid routes are rejected on the blackhole
BGP sessions.
You could configure your devices to not do RPKI-ROV on the blackhole BGP
sessions (essentially granting the blackhole BGP server unfiltered
access into your network), and continue to do RPKI-ROV on all other EBGP
sessions (transit, peering, private peering, customer facing).
> I am not deploying it because I don't want it or don't understand it,
> I am not deploying it because it simply does not work for me.
Please keep an open mind that there might be a misunderstanding
somewhere.
Kind regards,
Job
More information about the ARIN-PPML
mailing list