Re: RPKI and offline routes

["Jakob Heitz (jheitz)" <jheitz () cisco com>]

ASN 0 is used for this purpose.
Look for the word "zero" in
https://tools.ietf.org/html/rfc6907

Thanks,
Jakob.

> Date: Mon, 13 Jun 2016 17:53:45 -0500 (Central Sommerzeit)
> From: Matthias Waehlisch <m.waehlisch () fu-berlin de>
> To: Theodore Baschak <theodore () ciscodude net>
> Cc: NANOG Operators' Group <nanog () nanog org>
> Subject: Re: RPKI and offline routes
>
> Hi,
>
>   the creation of a ROA does not require the announcement of the prefix.
> Creation of a ROA, prefix announcement, and validation of the prefix are
> decoupled. If you are the legitimate resource holder you can create a
> ROA for this prefix (even if you don't advertise the prefix). As soon as
> the prefix is advertised, third parties can validate based on the
> created ROA.
>
>   However, in case the hijacker is able to use the legitimate origin
> ASN, the validation outcome would be valid. You would need to assign the
> prefix to an ASN that cannot be hijacked or is dropped for other
> reasons. (Or do BGPsec. ;)
>
>
> Cheers
>   matthias
>
> On Mon, 13 Jun 2016, Theodore Baschak wrote:
>
> > Can RPKI be used with routes that are not being advertised at the moment?
> > As in to sign a route that *could* be there, but is not there presently.
> >
> > There's been several BGP hijacks that I've followed closely that
> > involved hijacking IP space as well as the ASN that would normally
> > originate it. I'm wondering if having valid ROAs/RPKI would have
> > helped in this case or not.
> >
> >
> > Theodore Baschak - AS395089 - Hextet Systems