[arin-ppml] implementing RPKI prefix validation actually increases risk

Job Snijders job at fastly.com
Tue Jun 6 13:55:10 EDT 2023

On Tue, Jun 06, 2023 at 05:38:33PM +0000, Michel Py wrote:
> I don't think that this is specific to Cisco, just happens to be the
> implementation I use.

It seems to be specific to the implementation you use.

> I'm not following you here; RPKI-ROV is not configured on a per-peer
> or a per-session basis, what am I missing here ?  As mentioned
> earlier, a different route-map for different purposes has no effect on
> the best path decision. No matter what the situation, a valid RPKI
> prefix will always become the best path, which leads directly to
> blanketing the entire address space as valid at the RTR level to
> resolve.

In many (if not all) BGP implementations RPKI-ROV can be configured on a
per-peer or per-session basis. 

I'll make a wild guess (based on a hostname you shared in an earlier
message I think you use Cisco IOS XE), and therefor I suspect you'll
want to configure:

    "bgp bestpath prefix-validate allow-invalid"
    (under the "router bgp <ASN>" hierarchy.)

Then, in a route-map (specific to the blackhole sessions), increase the
LOCAL_PREF to higher than the other BGP routes you wish to override.
See the documentation [1].

This is my last message on the topic as Brad Gorman noted, this
conversation might be a bit off-topic. To me it seems a configuration
problem, not a policy problem.

You can message me off-list if you have more questions on how to deploy

Kind regards,


[1]: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/xe-3s/irg-xe-3s-book/bgp-origin-as-validation.html

More information about the ARIN-PPML mailing list