[RPKI] Accepting smaller routes than RPKI object allows (blackholing)

Tim Bruijnzeels tim at nlnetlabs.nl
Thu Aug 29 12:00:56 UTC 2019


Maybe you can use an export of the VRPs to find the networks for your specific customer ASNs, that you would want to allow them to send /32 or /128 on.

Unfortunately RPKI implementations in the router do not differentiate between invalid_asn and invalid_length (but correct ASN). Otherwise you could have required (rpki valid | rpki invalid-length).

Or am I mis-understanding the issue here? Sorry, just learning about actual routing operations, so looking at this from a more theoretical rpki angle - where I have a bit more experience :D 


> On 29 Aug 2019, at 13:34, Job Snijders <job at ntt.net> wrote:
> On Thu, Aug 29, 2019 at 11:28 AM Chriztoffer Hansen
> <chriztoffer at netravnen.de> wrote:
>> On 29 August 2019 at 09:43:30 -00:00, Klimek, Denis <DKlimek at stadtwerke-norderstedt.de> wrote:
>> Today I played around with RPKI against our customer BGP sessions and noticed that if a customer wants to send a /32 or /128 route to blackhole his traffic that this is not accepted due invalid rpki state.
>> Why not re-configure your route-map to accept host routes. Before the RPKI state validation is done later in the route-map?
> You gotta make sure that the customer is allowed to announce those hostroutes...
> You don't want (most) customers to be able to blackhole or
> Kind regards,
> Job
> -- 
> RPKI mailing list
> RPKI at nlnetlabs.nl
> https://www.nlnetlabs.nl/mailman/listinfo/rpki

More information about the RPKI mailing list