[arin-ppml] implementing RPKI prefix validation actually increases risk
Michel Py
michel at arneill-py.sacramento.ca.us
Tue Jun 6 14:27:38 EDT 2023
Hi Job,
> Job Snijders wrote :
> I'll make a wild guess (based on a hostname you shared in an earlier message I think you use Cisco IOS XE),
Correct.
> and therefor I suspect you'll want to configure: "bgp bestpath prefix-validate allow-invalid" (under the "router bgp <ASN>" hierarchy.)
> Then, in a route-map (specific to the blackhole sessions), increase the LOCAL_PREF to higher than the other BGP routes you wish to override.
Exactly what I did, and my point was : it does not work, and it's not a bug, it's by design. No matter how I finagle with route-maps, there is nothing I can do. Local-preference and weight and anything else I could customize are below RPKI validation in the decision process.
If you look in the details of what I posted earlier, you will see that the prefix in question has the longest AS-PATH, the lowest local-preference and the lowest weight, and it still becomes the best path. What you just mentioned was the logical thing to do, that's what I tried, no go. It's by design.
> It seems to be specific to the implementation you use.
Thanks for the education, I think you are right. I guess we just have to ignore the elephant in the room. And for those of us who happen to use the elephant's products, resort to RTR-based SLURM blanketing. :-(
Michel
More information about the ARIN-PPML
mailing list