From DKlimek at Stadtwerke-Norderstedt.de Thu Aug 29 09:43:30 2019 From: DKlimek at Stadtwerke-Norderstedt.de (Klimek, Denis) Date: Thu, 29 Aug 2019 09:43:30 +0000 Subject: [RPKI] Accepting smaller routes than RPKI object allows (blackholing) Message-ID: <6bcfce800a644e9490da8871ad42d8dc@Daisy.Stadtwerke.Norderstedt> Dear all, we've deployed RPKI weeks ago against our transit and peering session all over our network which works fine so far :) Today I played around with RPKI against our customer BGP sessions and noticed that if a customer wants to send a /32 or /128 route to blackhole his traffic that this is not accepted due invalid rpki state. Is it somehow possible to reconfigure Routinator to send a valid state for hostroutes if the "parent" object is valid? Otherwise I do not see any chance to run RPKI alone without local prefix lists to allow customers to send blackhole routes. Mit freundlichem Gru? Stadtwerke Norderstedt Denis Klimek Professional Network Engineer IP-Systemtechnik Tel: 040 / 521 04 - 1049 Mobil: 0151 / 652 219 06 dklimek at stadtwerke-norderstedt.de www.stadtwerke-norderstedt.de -------------- next part -------------- An HTML attachment was scrubbed... URL: From job at ntt.net Thu Aug 29 09:59:28 2019 From: job at ntt.net (Job Snijders) Date: Thu, 29 Aug 2019 09:59:28 +0000 Subject: [RPKI] Accepting smaller routes than RPKI object allows (blackholing) In-Reply-To: <6bcfce800a644e9490da8871ad42d8dc@Daisy.Stadtwerke.Norderstedt> References: <6bcfce800a644e9490da8871ad42d8dc@Daisy.Stadtwerke.Norderstedt> Message-ID: <20190829095928.GC96664@vurt.meerval.net> On Thu, Aug 29, 2019 at 09:43:30AM +0000, Klimek, Denis wrote: > Today I played around with RPKI against our customer BGP sessions and > noticed that if a customer wants to send a /32 or /128 route to > blackhole his traffic that this is not accepted due invalid rpki > state. > Is it somehow possible to reconfigure Routinator to send a valid state > for hostroutes if the "parent" object is valid? no, this is not possible. Keep in mind that RTR is a "push" protocol, the RPKI Cache Validator (for instance routinator) pushes the full list of VRPs (VRPs are decrypted & validated ROAs) to the router, and then the router does lookups in its local cache. > Otherwise I do not see any chance to run RPKI alone without local > prefix lists to allow customers to send blackhole routes. I recommend that at this moment you indeed use a local prefix-list as allowlist what blackholes to accept from who. NTT & Telia are working on a method to leverage pmacct to do off-router validation of blackhole routes to and re-inject routes that pass the validation process. See http://iepg.org/2019-03-24-ietf104/blackholing_reconsidered_ietf104_snijders.pdf for more information Kind regards, Job From chriztoffer at netravnen.de Thu Aug 29 11:12:06 2019 From: chriztoffer at netravnen.de (Chriztoffer Hansen) Date: Thu, 29 Aug 2019 11:12:06 +0000 Subject: [RPKI] Accepting smaller routes than RPKI object allows (blackholing) In-Reply-To: <6bcfce800a644e9490da8871ad42d8dc@Daisy.Stadtwerke.Norderstedt> References: <6bcfce800a644e9490da8871ad42d8dc@Daisy.Stadtwerke.Norderstedt> Message-ID: <1567077126129.31858.5178@webmail2> On 29 August 2019 at 09:43:30 -00:00, Klimek, Denis wrote: > Today I played around with RPKI against our customer BGP sessions and noticed that if a customer wants to send a /32 or /128 route to blackhole his traffic that this is not accepted due invalid rpki state. > Why not re-configure your route-map to accept host routes. Before the RPKI state validation is done later in the route-map? --? Chriztoffer -------------- next part -------------- An HTML attachment was scrubbed... URL: From DKlimek at Stadtwerke-Norderstedt.de Thu Aug 29 11:42:07 2019 From: DKlimek at Stadtwerke-Norderstedt.de (Klimek, Denis) Date: Thu, 29 Aug 2019 11:42:07 +0000 Subject: [RPKI] Accepting smaller routes than RPKI object allows (blackholing) In-Reply-To: <1567077126129.31858.5178@webmail2> References: <6bcfce800a644e9490da8871ad42d8dc@Daisy.Stadtwerke.Norderstedt> <1567077126129.31858.5178@webmail2> Message-ID: In that scenario a customer could blackhole traffic for foreign ip addresses :-/ Mit freundlichem Gru? Stadtwerke Norderstedt Denis Klimek Professional Network Engineer IP-Systemtechnik Tel: 040 / 521 04 ? 1049 Mobil: 0151 / 652 219 06 dklimek at stadtwerke-norderstedt.de www.stadtwerke-norderstedt.de Von: Chriztoffer Hansen [mailto:chriztoffer at netravnen.de] Gesendet: Donnerstag, 29. August 2019 13:12 An: Klimek, Denis Cc: 'rpki at nlnetlabs.nl' Betreff: Re: [RPKI] Accepting smaller routes than RPKI object allows (blackholing) On 29 August 2019 at 09:43:30 -00:00, Klimek, Denis wrote: Today I played around with RPKI against our customer BGP sessions and noticed that if a customer wants to send a /32 or /128 route to blackhole his traffic that this is not accepted due invalid rpki state. Why not re-configure your route-map to accept host routes. Before the RPKI state validation is done later in the route-map? -- Chriztoffer -------------- next part -------------- An HTML attachment was scrubbed... URL: From melchior at aelmans.eu Thu Aug 29 11:43:58 2019 From: melchior at aelmans.eu (Melchior Aelmans) Date: Thu, 29 Aug 2019 13:43:58 +0200 Subject: [RPKI] Accepting smaller routes than RPKI object allows (blackholing) In-Reply-To: References: <6bcfce800a644e9490da8871ad42d8dc@Daisy.Stadtwerke.Norderstedt> <1567077126129.31858.5178@webmail2> Message-ID: Obviously you would only allow your customer to advertise host-routes that are within his prefix ranges I would think... But yes what Chriztoffer suggested is the way to do this for now. Cheers, Melchior On Thu, Aug 29, 2019 at 1:42 PM Klimek, Denis < DKlimek at stadtwerke-norderstedt.de> wrote: > In that scenario a customer could blackhole traffic for foreign ip > addresses :-/ > > > > Mit freundlichem Gru? > > Stadtwerke Norderstedt > > > > *Denis Klimek* > > > > Professional Network Engineer > > IP-Systemtechnik > > > > Tel: 040 / 521 04 ? 1049 > > Mobil: 0151 / 652 219 06 > > > > dklimek at stadtwerke-norderstedt.de > > www.stadtwerke-norderstedt.de > > > > *Von:* Chriztoffer Hansen [mailto:chriztoffer at netravnen.de] > *Gesendet:* Donnerstag, 29. August 2019 13:12 > *An:* Klimek, Denis > *Cc:* 'rpki at nlnetlabs.nl' > *Betreff:* Re: [RPKI] Accepting smaller routes than RPKI object allows > (blackholing) > > > > > > On 29 August 2019 at 09:43:30 -00:00, Klimek, Denis < > DKlimek at stadtwerke-norderstedt.de> wrote: > > Today I played around with RPKI against our customer BGP sessions and > noticed that if a customer wants to send a /32 or /128 route to blackhole > his traffic that this is not accepted due invalid rpki state. > > Why not re-configure your route-map to accept host routes. * Before* the > RPKI state validation is done later in the route-map? > > > > -- > > Chriztoffer > > > -- > RPKI mailing list > RPKI at nlnetlabs.nl > https://www.nlnetlabs.nl/mailman/listinfo/rpki > -------------- next part -------------- An HTML attachment was scrubbed... URL: From job at ntt.net Thu Aug 29 11:51:14 2019 From: job at ntt.net (Job Snijders) Date: Thu, 29 Aug 2019 11:51:14 +0000 Subject: [RPKI] Accepting smaller routes than RPKI object allows (blackholing) In-Reply-To: References: <6bcfce800a644e9490da8871ad42d8dc@Daisy.Stadtwerke.Norderstedt> <1567077126129.31858.5178@webmail2> Message-ID: <20190829115114.GF96664@vurt.meerval.net> On Thu, Aug 29, 2019 at 01:43:58PM +0200, Melchior Aelmans wrote: > Obviously you would only allow your customer to advertise host-routes > that are within his prefix ranges I would think... How do you generate that list of allowed prefixes reliably? If you base it on IRR, anyone can include AS15169 in thei AS-SET and subsequently 8.8.8.0/24 and friends would make their way into the allowlist. This approach is as bad as what all providers already do today, hence my proposal on the iepg website. > But yes what Chriztoffer suggested is the way to do this for now. It depends on how you interpret what Chriztoffer suggested Kind regards, Job From job at ntt.net Thu Aug 29 11:34:59 2019 From: job at ntt.net (Job Snijders) Date: Thu, 29 Aug 2019 11:34:59 +0000 Subject: [RPKI] Accepting smaller routes than RPKI object allows (blackholing) In-Reply-To: <1567077126129.31858.5178@webmail2> References: <6bcfce800a644e9490da8871ad42d8dc@Daisy.Stadtwerke.Norderstedt> <1567077126129.31858.5178@webmail2> Message-ID: On Thu, Aug 29, 2019 at 11:28 AM Chriztoffer Hansen wrote: > On 29 August 2019 at 09:43:30 -00:00, Klimek, Denis wrote: > > Today I played around with RPKI against our customer BGP sessions and noticed that if a customer wants to send a /32 or /128 route to blackhole his traffic that this is not accepted due invalid rpki state. > > Why not re-configure your route-map to accept host routes. Before the RPKI state validation is done later in the route-map? You gotta make sure that the customer is allowed to announce those hostroutes... You don't want (most) customers to be able to blackhole 1.1.1.1 or 8.8.8.8 Kind regards, Job From tim at nlnetlabs.nl Thu Aug 29 12:00:56 2019 From: tim at nlnetlabs.nl (Tim Bruijnzeels) Date: Thu, 29 Aug 2019 14:00:56 +0200 Subject: [RPKI] Accepting smaller routes than RPKI object allows (blackholing) In-Reply-To: References: <6bcfce800a644e9490da8871ad42d8dc@Daisy.Stadtwerke.Norderstedt> <1567077126129.31858.5178@webmail2> Message-ID: Hi, Maybe you can use an export of the VRPs to find the networks for your specific customer ASNs, that you would want to allow them to send /32 or /128 on. Unfortunately RPKI implementations in the router do not differentiate between invalid_asn and invalid_length (but correct ASN). Otherwise you could have required (rpki valid | rpki invalid-length). Or am I mis-understanding the issue here? Sorry, just learning about actual routing operations, so looking at this from a more theoretical rpki angle - where I have a bit more experience :D Tim > On 29 Aug 2019, at 13:34, Job Snijders wrote: > > On Thu, Aug 29, 2019 at 11:28 AM Chriztoffer Hansen > wrote: >> On 29 August 2019 at 09:43:30 -00:00, Klimek, Denis wrote: >> >> Today I played around with RPKI against our customer BGP sessions and noticed that if a customer wants to send a /32 or /128 route to blackhole his traffic that this is not accepted due invalid rpki state. >> >> Why not re-configure your route-map to accept host routes. Before the RPKI state validation is done later in the route-map? > > You gotta make sure that the customer is allowed to announce those hostroutes... > > You don't want (most) customers to be able to blackhole 1.1.1.1 or 8.8.8.8 > > Kind regards, > > Job > -- > RPKI mailing list > RPKI at nlnetlabs.nl > https://www.nlnetlabs.nl/mailman/listinfo/rpki From DKlimek at Stadtwerke-Norderstedt.de Thu Aug 29 12:03:27 2019 From: DKlimek at Stadtwerke-Norderstedt.de (Klimek, Denis) Date: Thu, 29 Aug 2019 12:03:27 +0000 Subject: [RPKI] Accepting smaller routes than RPKI object allows (blackholing) In-Reply-To: References: <6bcfce800a644e9490da8871ad42d8dc@Daisy.Stadtwerke.Norderstedt> <1567077126129.31858.5178@webmail2>

Message-ID: <6d461ae6cb554457ac5db4777447bd43@Daisy.Stadtwerke.Norderstedt> Matching two different invalid states (incorrect ASN/prefix length) could solve the issue :-) But I don't think that the router vendors are going to implement this soon.... for now I decided to keep local prefixfilter lists if a customer wants to use advantage of blackholing. Mit freundlichem Gru? Stadtwerke Norderstedt Denis Klimek ? Professional Network Engineer IP-Systemtechnik Tel:??????? 040 / 521 04 - 1049 Mobil: 0151 / 652 219 06 ? dklimek at stadtwerke-norderstedt.de www.stadtwerke-norderstedt.de -----Urspr?ngliche Nachricht----- Von: RPKI [mailto:rpki-bounces at nlnetlabs.nl] Im Auftrag von Tim Bruijnzeels Gesendet: Donnerstag, 29. August 2019 14:01 An: Job Snijders Cc: rpki at nlnetlabs.nl Betreff: Re: [RPKI] Accepting smaller routes than RPKI object allows (blackholing) Hi, Maybe you can use an export of the VRPs to find the networks for your specific customer ASNs, that you would want to allow them to send /32 or /128 on. Unfortunately RPKI implementations in the router do not differentiate between invalid_asn and invalid_length (but correct ASN). Otherwise you could have required (rpki valid | rpki invalid-length). Or am I mis-understanding the issue here? Sorry, just learning about actual routing operations, so looking at this from a more theoretical rpki angle - where I have a bit more experience :D Tim > On 29 Aug 2019, at 13:34, Job Snijders wrote: > > On Thu, Aug 29, 2019 at 11:28 AM Chriztoffer Hansen > wrote: >> On 29 August 2019 at 09:43:30 -00:00, Klimek, Denis wrote: >> >> Today I played around with RPKI against our customer BGP sessions and noticed that if a customer wants to send a /32 or /128 route to blackhole his traffic that this is not accepted due invalid rpki state. >> >> Why not re-configure your route-map to accept host routes. Before the RPKI state validation is done later in the route-map? > > You gotta make sure that the customer is allowed to announce those hostroutes... > > You don't want (most) customers to be able to blackhole 1.1.1.1 or 8.8.8.8 > > Kind regards, > > Job > -- > RPKI mailing list > RPKI at nlnetlabs.nl > https://www.nlnetlabs.nl/mailman/listinfo/rpki -- RPKI mailing list RPKI at nlnetlabs.nl https://www.nlnetlabs.nl/mailman/listinfo/rpki From job at ntt.net Thu Aug 29 12:03:22 2019 From: job at ntt.net (Job Snijders) Date: Thu, 29 Aug 2019 12:03:22 +0000 Subject: [RPKI] Accepting smaller routes than RPKI object allows (blackholing) In-Reply-To: References: <6bcfce800a644e9490da8871ad42d8dc@Daisy.Stadtwerke.Norderstedt> <1567077126129.31858.5178@webmail2>

Message-ID: Hi Tim, On Thu, Aug 29, 2019 at 12:01 PM Tim Bruijnzeels wrote: > Maybe you can use an export of the VRPs to find the networks for your specific customer ASNs, that you would want to allow them to send /32 or /128 on. Right, but that doesn't help you find the customers of your customers. > Unfortunately RPKI implementations in the router do not differentiate between invalid_asn and invalid_length (but correct ASN). Otherwise you could have required (rpki valid | rpki invalid-length). Yes, that would be interesting but is not possible on today's routers. > Or am I mis-understanding the issue here? Sorry, just learning about actual routing operations, so looking at this from a more theoretical rpki angle - where I have a bit more experience :D Kind regards, Job From tim at nlnetlabs.nl Thu Aug 29 12:21:08 2019 From: tim at nlnetlabs.nl (Tim Bruijnzeels) Date: Thu, 29 Aug 2019 14:21:08 +0200 Subject: [RPKI] Accepting smaller routes than RPKI object allows (blackholing) In-Reply-To: <6d461ae6cb554457ac5db4777447bd43@Daisy.Stadtwerke.Norderstedt> References: <6bcfce800a644e9490da8871ad42d8dc@Daisy.Stadtwerke.Norderstedt> <1567077126129.31858.5178@webmail2>

<6d461ae6cb554457ac5db4777447bd43@Daisy.Stadtwerke.Norderstedt> Message-ID: Hi > On 29 Aug 2019, at 14:03, Klimek, Denis wrote: > > Matching two different invalid states (incorrect ASN/prefix length) could solve the issue :-) > But I don't think that the router vendors are going to implement this soon.... The routinator API will answer the question though: https://rpki.readthedocs.io/en/latest/routinator/interactive.html#validity-checker But.. I think it's ill-advised, if even possible, to hook api calls into your config. and just fyi / background There was discussion about this in the IETF around 8 years ago? (could be even be 10..) And back then the conclusion was that there were no foreseeable scenarios in the context of RPKI where you would treat the error cases differently. So they got exactly the same status. It may be worth re-opening this discussion in the IETF, also in the context of the work that is being done on ASPA. Because, when you are quite certain that the path is correct, then you may want to be more lenient about invalid length. Although a corner case exists where a 3rd ASN is authorised to do covering announcements, but no specifics. In any case the outcome of such a discussion is unclear, and will for sure not see implementation overnight if the outcome was to recognise the difference. Tim -------------- next part -------------- An HTML attachment was scrubbed... URL: From stavros.konstantaras at ams-ix.net Thu Aug 29 12:21:21 2019 From: stavros.konstantaras at ams-ix.net (Stavros Konstantaras) Date: Thu, 29 Aug 2019 14:21:21 +0200 Subject: [RPKI] Accepting smaller routes than RPKI object allows (blackholing) In-Reply-To: <6d461ae6cb554457ac5db4777447bd43@Daisy.Stadtwerke.Norderstedt> References: <6bcfce800a644e9490da8871ad42d8dc@Daisy.Stadtwerke.Norderstedt> <1567077126129.31858.5178@webmail2>

<6d461ae6cb554457ac5db4777447bd43@Daisy.Stadtwerke.Norderstedt> Message-ID: <70D7839B-1D41-4483-870C-FEC050E5BB65@ams-ix.net> Based on the current standards and vendor implementations, I believe another potential solution to make this work is to use a separate routing instance (e.g a server running BIRD or other software), where customers can use it to send blackhole routes. With BIRD running on a simple box, you could easily implement an import filter where a customer is allowed to advertise a /32 route that carries the BLACKHOLE community as well (and only that, nothing else). Then, with a little bit of python scripting you could either program your basic Juniper or Cisco router accordingly or trigger your purchased anti-DDoS service. The positive on that workaround is that programmatically you are more flexible and perhaps apply some extra logic. The drawback is that customers need to maintain a second BGP session (plus your setup is highly more complicated). Best regards, Stavros Konstantaras | NOC Engineer | AMS-IX M +31 (0) 620 89 51 04 | T +31 20 305 8999 ams-ix.net > On 29 Aug 2019, at 14:03, Klimek, Denis wrote: > > Matching two different invalid states (incorrect ASN/prefix length) could solve the issue :-) > But I don't think that the router vendors are going to implement this soon.... for now I decided to keep local prefixfilter lists if a customer wants to use advantage of blackholing. > > Mit freundlichem Gru? > Stadtwerke Norderstedt > > Denis Klimek > > Professional Network Engineer > IP-Systemtechnik > > Tel: 040 / 521 04 - 1049 > Mobil: 0151 / 652 219 06 > > dklimek at stadtwerke-norderstedt.de > www.stadtwerke-norderstedt.de > > > -----Urspr?ngliche Nachricht----- > Von: RPKI [mailto:rpki-bounces at nlnetlabs.nl] Im Auftrag von Tim Bruijnzeels > Gesendet: Donnerstag, 29. August 2019 14:01 > An: Job Snijders > Cc: rpki at nlnetlabs.nl > Betreff: Re: [RPKI] Accepting smaller routes than RPKI object allows (blackholing) > > Hi, > > Maybe you can use an export of the VRPs to find the networks for your specific customer ASNs, that you would want to allow them to send /32 or /128 on. > > Unfortunately RPKI implementations in the router do not differentiate between invalid_asn and invalid_length (but correct ASN). Otherwise you could have required (rpki valid | rpki invalid-length). > > Or am I mis-understanding the issue here? Sorry, just learning about actual routing operations, so looking at this from a more theoretical rpki angle - where I have a bit more experience :D > > Tim > >> On 29 Aug 2019, at 13:34, Job Snijders wrote: >> >> On Thu, Aug 29, 2019 at 11:28 AM Chriztoffer Hansen >> wrote: >>> On 29 August 2019 at 09:43:30 -00:00, Klimek, Denis wrote: >>> >>> Today I played around with RPKI against our customer BGP sessions and noticed that if a customer wants to send a /32 or /128 route to blackhole his traffic that this is not accepted due invalid rpki state. >>> >>> Why not re-configure your route-map to accept host routes. Before the RPKI state validation is done later in the route-map? >> >> You gotta make sure that the customer is allowed to announce those hostroutes... >> >> You don't want (most) customers to be able to blackhole 1.1.1.1 or 8.8.8.8 >> >> Kind regards, >> >> Job >> -- >> RPKI mailing list >> RPKI at nlnetlabs.nl >> https://www.nlnetlabs.nl/mailman/listinfo/rpki > > -- > RPKI mailing list > RPKI at nlnetlabs.nl > https://www.nlnetlabs.nl/mailman/listinfo/rpki > -- > RPKI mailing list > RPKI at nlnetlabs.nl > https://www.nlnetlabs.nl/mailman/listinfo/rpki From job at ntt.net Thu Aug 29 12:33:58 2019 From: job at ntt.net (Job Snijders) Date: Thu, 29 Aug 2019 12:33:58 +0000 Subject: [RPKI] Accepting smaller routes than RPKI object allows (blackholing) In-Reply-To: <70D7839B-1D41-4483-870C-FEC050E5BB65@ams-ix.net> References: <6bcfce800a644e9490da8871ad42d8dc@Daisy.Stadtwerke.Norderstedt> <1567077126129.31858.5178@webmail2>

<6d461ae6cb554457ac5db4777447bd43@Daisy.Stadtwerke.Norderstedt> <70D7839B-1D41-4483-870C-FEC050E5BB65@ams-ix.net> Message-ID: <20190829123358.GG96664@vurt.meerval.net> On Thu, Aug 29, 2019 at 02:21:21PM +0200, Stavros Konstantaras wrote: > Based on the current standards and vendor implementations, I believe > another potential solution to make this work is to use a separate > routing instance (e.g a server running BIRD or other software), where > customers can use it to send blackhole routes. > > With BIRD running on a simple box, you could easily implement an > import filter where a customer is allowed to advertise a /32 route > that carries the BLACKHOLE community as well (and only that, nothing > else). Then, with a little bit of python scripting you could either > program your basic Juniper or Cisco router accordingly or trigger your > purchased anti-DDoS service. What do you base the import filter on? Kind regards, Job From DKlimek at Stadtwerke-Norderstedt.de Thu Aug 29 12:34:34 2019 From: DKlimek at Stadtwerke-Norderstedt.de (Klimek, Denis) Date: Thu, 29 Aug 2019 12:34:34 +0000 Subject: [RPKI] Accepting smaller routes than RPKI object allows (blackholing) In-Reply-To: <20190829123358.GG96664@vurt.meerval.net> References: <6bcfce800a644e9490da8871ad42d8dc@Daisy.Stadtwerke.Norderstedt> <1567077126129.31858.5178@webmail2>

<6d461ae6cb554457ac5db4777447bd43@Daisy.Stadtwerke.Norderstedt> <70D7839B-1D41-4483-870C-FEC050E5BB65@ams-ix.net> <20190829123358.GG96664@vurt.meerval.net> Message-ID: <5d626c8f72ed4e13b08a36065d6199be@Daisy.Stadtwerke.Norderstedt> I think it would be much more easier to ask the software routers vendors (GoBGP,OpenBGP etc pp) to implement the feature to reply with different valid/invalid states for each routes. This saves the community a lot of work with external scripts that needs to be triggered. But of course for the endcustomer it would cause setting up a 2nd BGP session only for blackholing :-/ Mit freundlichem Gru? Stadtwerke Norderstedt Denis Klimek ? Professional Network Engineer IP-Systemtechnik Tel:??????? 040 / 521 04 - 1049 Mobil: 0151 / 652 219 06 ? dklimek at stadtwerke-norderstedt.de www.stadtwerke-norderstedt.de -----Urspr?ngliche Nachricht----- Von: Job Snijders [mailto:job at ntt.net] Gesendet: Donnerstag, 29. August 2019 14:34 An: Stavros Konstantaras Cc: Klimek, Denis; rpki at nlnetlabs.nl Betreff: Re: [RPKI] Accepting smaller routes than RPKI object allows (blackholing) On Thu, Aug 29, 2019 at 02:21:21PM +0200, Stavros Konstantaras wrote: > Based on the current standards and vendor implementations, I believe > another potential solution to make this work is to use a separate > routing instance (e.g a server running BIRD or other software), where > customers can use it to send blackhole routes. > > With BIRD running on a simple box, you could easily implement an > import filter where a customer is allowed to advertise a /32 route > that carries the BLACKHOLE community as well (and only that, nothing > else). Then, with a little bit of python scripting you could either > program your basic Juniper or Cisco router accordingly or trigger your > purchased anti-DDoS service. What do you base the import filter on? Kind regards, Job