[RPKI] Accepting smaller routes than RPKI object allows (blackholing)

Job Snijders job at ntt.net
Thu Aug 29 11:34:59 UTC 2019


On Thu, Aug 29, 2019 at 11:28 AM Chriztoffer Hansen
<chriztoffer at netravnen.de> wrote:
> On 29 August 2019 at 09:43:30 -00:00, Klimek, Denis <DKlimek at stadtwerke-norderstedt.de> wrote:
>
> Today I played around with RPKI against our customer BGP sessions and noticed that if a customer wants to send a /32 or /128 route to blackhole his traffic that this is not accepted due invalid rpki state.
>
> Why not re-configure your route-map to accept host routes. Before the RPKI state validation is done later in the route-map?

You gotta make sure that the customer is allowed to announce those hostroutes...

You don't want (most) customers to be able to blackhole 1.1.1.1 or 8.8.8.8

Kind regards,

Job



More information about the RPKI mailing list