[RPKI] Accepting smaller routes than RPKI object allows (blackholing)

Job Snijders job at ntt.net
Thu Aug 29 09:59:28 UTC 2019

On Thu, Aug 29, 2019 at 09:43:30AM +0000, Klimek, Denis wrote:
> Today I played around with RPKI against our customer BGP sessions and
> noticed that if a customer wants to send a /32 or /128 route to
> blackhole his traffic that this is not accepted due invalid rpki
> state.

> Is it somehow possible to reconfigure Routinator to send a valid state
> for hostroutes if the "parent" object is valid?

no, this is not possible. Keep in mind that RTR is a "push" protocol,
the RPKI Cache Validator (for instance routinator) pushes the full list
of VRPs (VRPs are decrypted & validated ROAs) to the router, and then
the router does lookups in its local cache.

> Otherwise I do not see any chance to run RPKI alone without local
> prefix lists to allow customers to send blackhole routes.

I recommend that at this moment you indeed use a local prefix-list as
allowlist what blackholes to accept from who.

NTT & Telia are working on a method to leverage pmacct to do off-router
validation of blackhole routes to and re-inject routes that pass the
validation process.

See http://iepg.org/2019-03-24-ietf104/blackholing_reconsidered_ietf104_snijders.pdf
for more information

Kind regards,


More information about the RPKI mailing list