[RPKI] Accepting smaller routes than RPKI object allows (blackholing)

Klimek, Denis DKlimek at Stadtwerke-Norderstedt.de
Thu Aug 29 12:34:34 UTC 2019

I think it would be much more easier to ask the software routers vendors (GoBGP,OpenBGP etc pp) to implement the feature to reply with different valid/invalid states for each routes.
This saves the community a lot of work with external scripts that needs to be triggered. But of course for the endcustomer it would cause setting up a 2nd BGP session only for blackholing :-/

Mit freundlichem Gruß
Stadtwerke Norderstedt

Denis Klimek
Professional Network Engineer

Tel:        040 / 521 04 - 1049
Mobil:    0151 / 652 219 06
dklimek at stadtwerke-norderstedt.de

-----Ursprüngliche Nachricht-----
Von: Job Snijders [mailto:job at ntt.net] 
Gesendet: Donnerstag, 29. August 2019 14:34
An: Stavros Konstantaras
Cc: Klimek, Denis; rpki at nlnetlabs.nl
Betreff: Re: [RPKI] Accepting smaller routes than RPKI object allows (blackholing)

On Thu, Aug 29, 2019 at 02:21:21PM +0200, Stavros Konstantaras wrote:
> Based on the current standards and vendor implementations, I believe
> another potential solution to make this work is to use a separate
> routing instance (e.g a server running BIRD or other software), where
> customers can use it to send blackhole routes. 
> With BIRD running on a simple box, you could easily implement an
> import filter where a customer is allowed to advertise a /32 route
> that carries the BLACKHOLE community as well (and only that, nothing
> else). Then, with a little bit of python scripting you could either
> program your basic Juniper or Cisco router accordingly or trigger your
> purchased anti-DDoS service. 

What do you base the import filter on?

Kind regards,


More information about the RPKI mailing list