[c-nsp] RPKI extended-community RFC8097
Gert Doering
gert at greenie.muc.de
Sat Apr 18 08:03:14 EDT 2020
Hi,
On Sat, Apr 18, 2020 at 01:20:58PM +0200, Robert Raszuk wrote:
> Using BGP predefined ext communities is one way to enable origin validation
> on all your routers. Then if you do you may want to enable or disable
> invalid paths to be best path eligible. By default they would not be part
> of best path.
>
> If you like to only deprefer them I am marking them with local pref and do
> not need to touch any of the IBGP routers.
For "more specific announcement" attacks, local-pref'ing the RPKI invalids
to "ineligible" isn't going to work, as there are no valid alternates.
Ceterum censeo, the only reasonable approach to RPKI OV seems to be
"drop invalids" or "do not bother" (except for a certain phase in
between where you want to monitor first to see if it has any noticeable
effect on production traffic).
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany gert at greenie.muc.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20200418/8cb7ee42/attachment.sig>
More information about the cisco-nsp
mailing list