[RPKI] Accepting smaller routes than RPKI object allows (blackholing)

Melchior Aelmans melchior at aelmans.eu
Thu Aug 29 11:43:58 UTC 2019


Obviously you would only allow your customer to advertise host-routes that
are within his prefix ranges I would think...
But yes what Chriztoffer suggested is the way to do this for now.

Cheers,
Melchior

On Thu, Aug 29, 2019 at 1:42 PM Klimek, Denis <
DKlimek at stadtwerke-norderstedt.de> wrote:

> In that scenario a customer could blackhole traffic for foreign ip
> addresses :-/
>
>
>
> Mit freundlichem Gruß
>
> Stadtwerke Norderstedt
>
>
>
> *Denis Klimek*
>
>
>
> Professional Network Engineer
>
> IP-Systemtechnik
>
>
>
> Tel:        040 / 521 04 – 1049
>
> Mobil:    0151 / 652 219 06
>
>
>
> dklimek at stadtwerke-norderstedt.de
>
> www.stadtwerke-norderstedt.de
>
>
>
> *Von:* Chriztoffer Hansen [mailto:chriztoffer at netravnen.de]
> *Gesendet:* Donnerstag, 29. August 2019 13:12
> *An:* Klimek, Denis
> *Cc:* 'rpki at nlnetlabs.nl'
> *Betreff:* Re: [RPKI] Accepting smaller routes than RPKI object allows
> (blackholing)
>
>
>
>
>
> On 29 August 2019 at 09:43:30 -00:00, Klimek, Denis <
> DKlimek at stadtwerke-norderstedt.de> wrote:
>
> Today I played around with RPKI against our customer BGP sessions and
> noticed that if a customer wants to send a /32 or /128 route to blackhole
> his traffic that this is not accepted due invalid rpki state.
>
> Why not re-configure your route-map to accept host routes. * Before* the
> RPKI state validation is done later in the route-map?
>
>
>
> --
>
> Chriztoffer
>
>
> --
> RPKI mailing list
> RPKI at nlnetlabs.nl
> https://www.nlnetlabs.nl/mailman/listinfo/rpki
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/rpki/attachments/20190829/3a4d356b/attachment.htm>


More information about the RPKI mailing list