[RPKI] Accepting smaller routes than RPKI object allows (blackholing)
Job Snijders
job at ntt.net
Thu Aug 29 09:59:28 UTC 2019
On Thu, Aug 29, 2019 at 09:43:30AM +0000, Klimek, Denis wrote:
> Today I played around with RPKI against our customer BGP sessions and
> noticed that if a customer wants to send a /32 or /128 route to
> blackhole his traffic that this is not accepted due invalid rpki
> state.
> Is it somehow possible to reconfigure Routinator to send a valid state
> for hostroutes if the "parent" object is valid?
no, this is not possible. Keep in mind that RTR is a "push" protocol,
the RPKI Cache Validator (for instance routinator) pushes the full list
of VRPs (VRPs are decrypted & validated ROAs) to the router, and then
the router does lookups in its local cache.
> Otherwise I do not see any chance to run RPKI alone without local
> prefix lists to allow customers to send blackhole routes.
I recommend that at this moment you indeed use a local prefix-list as
allowlist what blackholes to accept from who.
NTT & Telia are working on a method to leverage pmacct to do off-router
validation of blackhole routes to and re-inject routes that pass the
validation process.
See http://iepg.org/2019-03-24-ietf104/blackholing_reconsidered_ietf104_snijders.pdf
for more information
Kind regards,
Job
More information about the RPKI
mailing list