[arin-ppml] implementing RPKI prefix validation actually increases risk

[Alejandro Acosta]

Hello,

On 6/6/23 10:23 AM, Job Snijders via ARIN-PPML wrote:
> Hi Michel,
>
> On Tue, Jun 06, 2023 at 02:29:35AM +0000, Michel Py via ARIN-PPML wrote:
>> The problem here is that RPKI validation is at the very top of the BGP
>> bestpath decision process, before weight and local-preference, without
>> any way to change that.
> Can you share your device's network configuration?
>
> It sounds to me that you configured your devices to apply RPKI-ROV and
> reject RPKI-invalid routes coming in via the blackhole BGP sessions, and
> now are surprised that RPKI-invalid routes are rejected on the blackhole
> BGP sessions.
>
> You could configure your devices to not do RPKI-ROV on the blackhole BGP
> sessions (essentially granting the blackhole BGP server unfiltered
> access into your network), and continue to do RPKI-ROV on all other EBGP
> sessions (transit, peering, private peering, customer facing).


I though in another approach but at least does not exist in the platform 
I'm using.

Instead of not doing RPKI-ROV, there would be nice if you could have a 
sort of route-map configured against the BGP feed and all of his 
prefixes would be treated as valid. This would make the trick.


Alejandro,


>
>> I am not deploying it because I don't want it or don't understand it,
>> I am not deploying it because it simply does not work for me.
> Please keep an open mind that there might be a misunderstanding
> somewhere.
>
> Kind regards,
>
> Job
> _______________________________________________
> ARIN-PPML
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-ppml
> Please contact info at arin.net if you experience any issues.