[c-nsp] RPKI validation weirdness

Alarig Le Lay alarig at grifon.fr
Fri May 8 06:06:44 EDT 2020


On Fri 08 May 2020 11:42:51 GMT, Robert Raszuk wrote:
> See when you sign a block then sell this block without removing your RPKI
> signature, then the block gets cutted into chunks and sold further - and no
> one in this process of transaction chain cares about RPKI - this entire
> story of using this for validation becomes pretty weak. And this is no
> longer NOT-FOUND. You get false INVALIDs which some may apply to suppress
> or drop.

Well… if your LIR isn’t careful enough to take care of RPKI, then change
your LIR. And if the customer isn’t careful enough to verify the RPKI
state of its prefixes, some bad things will happen, one day or an other.
And this may not necessary involve RPKI.

-- 
Alarig


More information about the cisco-nsp mailing list