[RPKI] Accepting smaller routes than RPKI object allows (blackholing)

Tim Bruijnzeels tim at nlnetlabs.nl
Thu Aug 29 12:21:08 UTC 2019


> On 29 Aug 2019, at 14:03, Klimek, Denis <DKlimek at Stadtwerke-Norderstedt.de> wrote:
> Matching two different invalid states (incorrect ASN/prefix length) could solve the issue :-)
> But I don't think that the router vendors are going to implement this soon.... 

The routinator API will answer the question though:
https://rpki.readthedocs.io/en/latest/routinator/interactive.html#validity-checker <https://rpki.readthedocs.io/en/latest/routinator/interactive.html#validity-checker>

But.. I think it's ill-advised, if even possible, to hook api calls into your config.

and just fyi / background

There was discussion about this in the IETF around 8 years ago? (could be even be 10..) And back then the conclusion was that there were no foreseeable scenarios in the context of RPKI where you would treat the error cases differently. So they got exactly the same status.

It may be worth re-opening this discussion in the IETF, also in the context of the work that is being done on ASPA. Because, when you are quite certain that the path is correct, then you may want to be more lenient about invalid length. Although a corner case exists where a 3rd ASN is authorised to do covering announcements, but no specifics.

In any case the outcome of such a discussion is unclear, and will for sure not see implementation overnight if the outcome was to recognise the difference.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/rpki/attachments/20190829/21773fae/attachment.htm>

More information about the RPKI mailing list