[c-nsp] RPKI validation weirdness

Mark Tinka mark.tinka at seacom.mu
Fri May 8 06:05:18 EDT 2020



On 8/May/20 11:42, Robert Raszuk wrote:

> Frankly this was ugly as quite unexpected - but relatively easy to see
> what is going on. In this space I am much more worried about RPKI db
> accuracy then any of the implementation issues. I found number of
> cases so far where what is in RPKI is just plain wrong - read INVALID
> :). And that is supposed to be the source of truth ...

Validator issue, perhaps?

We saw some discrepancies between FORT and Routinator back in February
in Melbourne. Possible those have now been fixed, though.


>
> Now I am considering actually automation of detection of RPKI bad info
> and some sort of publishing it. 
>
> See when you sign a block then sell this block without removing your
> RPKI signature, then the block gets cutted into chunks and sold
> further - and no one in this process of transaction chain cares about
> RPKI - this entire story of using this for validation becomes pretty
> weak. And this is no longer NOT-FOUND. You get false INVALIDs which
> some may apply to suppress or drop.

One of the reasons you should now enable automatic ROA certification of
longer prefixes, if you only really meant to sign the parent.

Mark.


More information about the cisco-nsp mailing list