[arin-ppml] implementing RPKI prefix validation actually increases risk

Michel Py michel at arneill-py.sacramento.ca.us
Tue Jun 6 14:27:38 EDT 2023


Hi Job,

> Job Snijders wrote :
> I'll make a wild guess (based on a hostname you shared in an earlier message I think you use Cisco IOS XE),

Correct.

> and therefor I suspect you'll want to configure:  "bgp bestpath prefix-validate allow-invalid"    (under the "router bgp <ASN>" hierarchy.)
> Then, in a route-map (specific to the blackhole sessions), increase the LOCAL_PREF to higher than the other BGP routes you wish to override.

Exactly what I did, and my point was : it does not work, and it's not a bug, it's by design. No matter how I finagle with route-maps, there is nothing I can do. Local-preference and weight and anything else I could customize are below RPKI validation in the decision process.

If you look in the details of what I posted earlier, you will see that the prefix in question has the longest AS-PATH, the lowest local-preference and the lowest weight, and it still becomes the best path. What you just mentioned was the logical thing to do, that's what I tried, no go. It's by design.

> It seems to be specific to the implementation you use.

Thanks for the education, I think you are right. I guess we just have to ignore the elephant in the room. And for those of us who happen to use the elephant's products, resort to RTR-based SLURM blanketing. :-(

Michel




More information about the ARIN-PPML mailing list