nanog mailing list archives
Re: deploying RPKI based Origin Validation
From: Mark Tinka <mark.tinka () seacom mu>
Date: Fri, 13 Jul 2018 14:53:30 +0200
On 13/Jul/18 14:43, Job Snijders wrote:
Have you considered applying "invalid == reject" on just transit/peering sessions rather than customer sessions as an intermediate step? I bet most misconfigurations or hijacks didn't come in via your customers.
Yes, we did. The issue is some of our customers did ROA their aggregates, but not the more-specifics. We didn't want to get into a situation where we had to custom-design templates depending on what RPKI mood the customer was in :-). But yes, the majority of the issue was with routes learned from peers and transit. That, though, still leaves the problem where you end up providing a partial routing table to your customers, while your competitors in the same market aren't. Most customers that aren't keen on IPv6 or DNSSEC treat RPKI the same way - as a nuisance. So trying to speak sense into them would be a more treacherous road to take than just turning it off until we get wider support within the BGP operational community. Mark.
Current thread:
- deploying RPKI based Origin Validation Job Snijders (Jul 12)
- Re: deploying RPKI based Origin Validation Mark Tinka (Jul 13)
- Re: deploying RPKI based Origin Validation Job Snijders (Jul 13)
- Re: deploying RPKI based Origin Validation Mark Tinka (Jul 13)
- Re: deploying RPKI based Origin Validation Grant Taylor via NANOG (Jul 13)
- Re: deploying RPKI based Origin Validation Christopher Morrow (Jul 13)
- Re: deploying RPKI based Origin Validation Job Snijders (Jul 13)
- Re: deploying RPKI based Origin Validation Mark Tinka (Jul 13)
- Re: deploying RPKI based Origin Validation Grant Taylor via NANOG (Jul 13)
- Re: deploying RPKI based Origin Validation Christopher Morrow (Jul 13)
- Re: deploying RPKI based Origin Validation Mark Tinka (Jul 13)
- Re: deploying RPKI based Origin Validation Baldur Norddahl (Jul 14)
- Re: deploying RPKI based Origin Validation Mark Tinka (Jul 14)
- Re: deploying RPKI based Origin Validation Job Snijders (Jul 16)
- Re: deploying RPKI based Origin Validation Job Snijders (Jul 13)
- Re: deploying RPKI based Origin Validation Mark Tinka (Jul 13)