<div dir="ltr"><div>Obviously you would only allow your customer to advertise host-routes that are within his prefix ranges I would think...</div><div>But yes what <span style="font-family:Tahoma,sans-serif;font-size:13.3333px">Chriztoffer suggested is the way to do this for now.</span></div><div><br></div><div>Cheers,</div><div>Melchior</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Aug 29, 2019 at 1:42 PM Klimek, Denis <<a href="mailto:DKlimek@stadtwerke-norderstedt.de">DKlimek@stadtwerke-norderstedt.de</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="DE">
<div class="gmail-m_-392377222078350750WordSection1">
<p class="MsoNormal"><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">In that scenario a customer could blackhole traffic for foreign ip addresses :-/<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">Mit freundlichem Gruß<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">Stadtwerke Norderstedt<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Arial,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:10pt;font-family:Arial,sans-serif;color:teal">Denis Klimek</span></b><span style="font-size:10pt;font-family:Arial,sans-serif;color:rgb(31,73,125)"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)"> </span><span style="font-family:Arial,sans-serif;color:rgb(31,73,125)"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">Professional Network Engineer<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">IP-Systemtechnik<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10pt;font-family:Arial,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">Tel: 040 / 521 04 – 1049<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">Mobil: 0151 / 652 219 06<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)"> </span><span style="font-family:Arial,sans-serif;color:rgb(31,73,125)"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Arial,sans-serif;color:rgb(31,73,125)"><a href="mailto:dklimek@stadtwerke-norderstedt.de" target="_blank"><span style="color:rgb(5,99,193)">dklimek@stadtwerke-norderstedt.de</span></a><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Arial,sans-serif;color:rgb(31,73,125)"><a href="http://www.stadtwerke-norderstedt.de/" target="_blank"><span style="color:rgb(5,99,193)">www.stadtwerke-norderstedt.de</span></a><u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><b><span style="font-size:10pt;font-family:Tahoma,sans-serif">Von:</span></b><span style="font-size:10pt;font-family:Tahoma,sans-serif"> Chriztoffer Hansen [mailto:<a href="mailto:chriztoffer@netravnen.de" target="_blank">chriztoffer@netravnen.de</a>]
<br>
<b>Gesendet:</b> Donnerstag, 29. August 2019 13:12<br>
<b>An:</b> Klimek, Denis<br>
<b>Cc:</b> '<a href="mailto:rpki@nlnetlabs.nl" target="_blank">rpki@nlnetlabs.nl</a>'<br>
<b>Betreff:</b> Re: [RPKI] Accepting smaller routes than RPKI object allows (blackholing)<u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">On 29 August 2019 at 09:43:30 -00:00, Klimek, Denis <<a href="mailto:DKlimek@stadtwerke-norderstedt.de" target="_blank">DKlimek@stadtwerke-norderstedt.de</a>> wrote:<u></u><u></u></p>
</div>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<div>
<div>
<div>
<p class="gmail-m_-392377222078350750onecomwebmail-msonormal"><span lang="EN-US">Today I played around with RPKI against our customer BGP sessions and noticed that if a customer wants to send a /32 or /128 route to blackhole his traffic that this is not accepted due invalid rpki state.</span><u></u><u></u></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal">Why not re-configure your route-map to accept host routes. <b>
Before</b> the RPKI state validation is done later in the route-map?<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">-- <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Chriztoffer<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
</div>
-- <br>
RPKI mailing list<br>
<a href="mailto:RPKI@nlnetlabs.nl" target="_blank">RPKI@nlnetlabs.nl</a><br>
<a href="https://www.nlnetlabs.nl/mailman/listinfo/rpki" rel="noreferrer" target="_blank">https://www.nlnetlabs.nl/mailman/listinfo/rpki</a><br>
</blockquote></div></div>