nanog mailing list archives

RE: deploying RPKI based Origin Validation


From: Michel Py <michel.py () tsisemi com>
Date: Tue, 17 Jul 2018 18:33:59 +0000

Job Snijders wrote :
I calculated this here few days ago
http://instituut.net/~job/rpki-report-2018.07.12.txt
Markus Weber from KPN is generating a daily report here and drew similar
conclusions: https://as286.net/data/ana-invalids.txt Markus scrapes all
routes from the AS 286 PEs and marks the routes for which no valid or
unknown alternative exists as "altpfx=NONE".

If I understand this correctly, I have a suggestion : update these files at a regular interval (15/20 min) and make 
them available for download with a fixed name (not containing the date).
Even better : have a route server that announces these prefixes with a :666 community so people could use it as a 
blackhole.

This would not remove the invalid prefixes from one's router, but at leat would prevent traffic from/to these prefixes.
In other words : a route server of prefixes that are RPKI invalid with no alternative that people could use without 
having an RPKI setup.
This would even work with people who have chosen do accept a default route from their upstream.

I understand this is not ideal; blacklisting a prefix that is RPKI invalid may actually help the hijacker, but 
blacklisting a prefix that is RPKI invalid AND that has no alternative could be useful ?
Should be considered a bogon.

Regards,
Michel.



TSI Disclaimer:  This message and any files or text attached to it are intended only for the recipients named above and 
contain information that may be confidential or privileged. If you are not the intended recipient, you must not 
forward, copy, use or otherwise disclose this communication or the information contained herein. In the event you have 
received this message in error, please notify the sender immediately by replying to this message, and then delete all 
copies of it from your system. Thank you!...


Current thread: