[RPKI] Accepting smaller routes than RPKI object allows (blackholing)
Tim Bruijnzeels
tim at nlnetlabs.nl
Thu Aug 29 12:00:56 UTC 2019
Hi,
Maybe you can use an export of the VRPs to find the networks for your specific customer ASNs, that you would want to allow them to send /32 or /128 on.
Unfortunately RPKI implementations in the router do not differentiate between invalid_asn and invalid_length (but correct ASN). Otherwise you could have required (rpki valid | rpki invalid-length).
Or am I mis-understanding the issue here? Sorry, just learning about actual routing operations, so looking at this from a more theoretical rpki angle - where I have a bit more experience :D
Tim
> On 29 Aug 2019, at 13:34, Job Snijders <job at ntt.net> wrote:
>
> On Thu, Aug 29, 2019 at 11:28 AM Chriztoffer Hansen
> <chriztoffer at netravnen.de> wrote:
>> On 29 August 2019 at 09:43:30 -00:00, Klimek, Denis <DKlimek at stadtwerke-norderstedt.de> wrote:
>>
>> Today I played around with RPKI against our customer BGP sessions and noticed that if a customer wants to send a /32 or /128 route to blackhole his traffic that this is not accepted due invalid rpki state.
>>
>> Why not re-configure your route-map to accept host routes. Before the RPKI state validation is done later in the route-map?
>
> You gotta make sure that the customer is allowed to announce those hostroutes...
>
> You don't want (most) customers to be able to blackhole 1.1.1.1 or 8.8.8.8
>
> Kind regards,
>
> Job
> --
> RPKI mailing list
> RPKI at nlnetlabs.nl
> https://www.nlnetlabs.nl/mailman/listinfo/rpki
More information about the RPKI
mailing list