nanog mailing list archives
Re: RPKI and offline routes
From: "Jakob Heitz (jheitz)" <jheitz () cisco com>
Date: Tue, 14 Jun 2016 20:19:37 +0000
ASN 0 is used for this purpose. Look for the word "zero" in https://tools.ietf.org/html/rfc6907 Thanks, Jakob.
Date: Mon, 13 Jun 2016 17:53:45 -0500 (Central Sommerzeit) From: Matthias Waehlisch <m.waehlisch () fu-berlin de> To: Theodore Baschak <theodore () ciscodude net> Cc: NANOG Operators' Group <nanog () nanog org> Subject: Re: RPKI and offline routes Hi, the creation of a ROA does not require the announcement of the prefix. Creation of a ROA, prefix announcement, and validation of the prefix are decoupled. If you are the legitimate resource holder you can create a ROA for this prefix (even if you don't advertise the prefix). As soon as the prefix is advertised, third parties can validate based on the created ROA. However, in case the hijacker is able to use the legitimate origin ASN, the validation outcome would be valid. You would need to assign the prefix to an ASN that cannot be hijacked or is dropped for other reasons. (Or do BGPsec. ;) Cheers matthias On Mon, 13 Jun 2016, Theodore Baschak wrote:Can RPKI be used with routes that are not being advertised at the moment? As in to sign a route that *could* be there, but is not there presently. There's been several BGP hijacks that I've followed closely that involved hijacking IP space as well as the ASN that would normally originate it. I'm wondering if having valid ROAs/RPKI would have helped in this case or not. Theodore Baschak - AS395089 - Hextet Systems
Current thread:
- RPKI and offline routes Theodore Baschak (Jun 13)
- Re: RPKI and offline routes Matthias Waehlisch (Jun 13)
- Re: RPKI and offline routes Hugo Slabbert (Jun 14)
- Re: RPKI and offline routes Matthias Waehlisch (Jun 14)
- Re: RPKI and offline routes Hugo Slabbert (Jun 14)
- <Possible follow-ups>
- Re: RPKI and offline routes Jakob Heitz (jheitz) (Jun 14)
- Re: RPKI and offline routes Matthias Waehlisch (Jun 13)