[arin-ppml] implementing RPKI prefix validation actually increases risk
Job Snijders
job at fastly.com
Tue Jun 6 13:55:10 EDT 2023
On Tue, Jun 06, 2023 at 05:38:33PM +0000, Michel Py wrote:
> I don't think that this is specific to Cisco, just happens to be the
> implementation I use.
It seems to be specific to the implementation you use.
> I'm not following you here; RPKI-ROV is not configured on a per-peer
> or a per-session basis, what am I missing here ? As mentioned
> earlier, a different route-map for different purposes has no effect on
> the best path decision. No matter what the situation, a valid RPKI
> prefix will always become the best path, which leads directly to
> blanketing the entire address space as valid at the RTR level to
> resolve.
In many (if not all) BGP implementations RPKI-ROV can be configured on a
per-peer or per-session basis.
I'll make a wild guess (based on a hostname you shared in an earlier
message I think you use Cisco IOS XE), and therefor I suspect you'll
want to configure:
"bgp bestpath prefix-validate allow-invalid"
(under the "router bgp <ASN>" hierarchy.)
Then, in a route-map (specific to the blackhole sessions), increase the
LOCAL_PREF to higher than the other BGP routes you wish to override.
See the documentation [1].
This is my last message on the topic as Brad Gorman noted, this
conversation might be a bit off-topic. To me it seems a configuration
problem, not a policy problem.
You can message me off-list if you have more questions on how to deploy
RPKI-ROV!
Kind regards,
Job
[1]: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/xe-3s/irg-xe-3s-book/bgp-origin-as-validation.html
More information about the ARIN-PPML
mailing list