[c-nsp] RPKI extended-community RFC8097

Gert Doering gert at greenie.muc.de
Sat Apr 18 08:03:14 EDT 2020


Hi,

On Sat, Apr 18, 2020 at 01:20:58PM +0200, Robert Raszuk wrote:
> Using BGP predefined ext communities is one way to enable origin validation
> on all your routers. Then if you do you may want to enable or disable
> invalid paths to be best path eligible. By default they would not be part
> of best path.
> 
> If you like to only deprefer them I am marking them with local pref and do
> not need to touch any of the IBGP routers.

For "more specific announcement" attacks, local-pref'ing the RPKI invalids
to "ineligible" isn't going to work, as there are no valid alternates.

Ceterum censeo, the only reasonable approach to RPKI OV seems to be 
"drop invalids" or "do not bother" (except for a certain phase in 
between where you want to monitor first to see if it has any noticeable 
effect on production traffic).

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             gert at greenie.muc.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20200418/8cb7ee42/attachment.sig>


More information about the cisco-nsp mailing list