nanog mailing list archives
Re: CloudFlare issues?
From: Mark Tinka <mark.tinka () seacom mu>
Date: Sun, 7 Jul 2019 19:18:15 +0200
On 6/Jul/19 23:44, Matt Corallo wrote:
On my test net I take ROA_INVALIDs and convert them to unreachables with a low preference (ie so that any upstreams taking only the shorter path will be selected, but so that such packets will never be routed). Obviously this isn't a well-supported operation, but I'm curious what people think of such an approach? If you really want to treat ROA_INVALID as "this is probably a hijack", you don't really want to be sending the hijacker traffic.
If a prefixe's RPKI state is Invalid, drop it! Simple. In most cases, it's a mistake due to a mis-configuration and/or a lack of deep understanding of RPKI. In fewer cases, it's an actual hijack. Either way, dropping the Invalid routes keeps the BGP clean and quickly encourages the originating network to get things fixed. As you point out, RPKI state validation is locally-significant, with protection extending to downstream customers only. So for this to really work, it needs critical mass. One, two, three, four or five networks implementing ROV and dropping Invalids does not a secure BGP make. Mark.
Current thread:
- Re: CloudFlare issues? Mark Tinka (Jul 04)
- Re: CloudFlare issues? i3D.net - Martijn Schmidt via NANOG (Jul 04)
- Re: CloudFlare issues? Sandra Murphy (Jul 05)
- Re: CloudFlare issues? i3D.net - Martijn Schmidt via NANOG (Jul 05)
- Re: CloudFlare issues? Sandra Murphy (Jul 05)
- Re: CloudFlare issues? Brett Frankenberger (Jul 06)
- Re: CloudFlare issues? Matt Corallo (Jul 06)
- Re: CloudFlare issues? Matt Corallo (Jul 06)
- Re: CloudFlare issues? Mark Tinka (Jul 07)
- Re: CloudFlare issues? Mark Tinka (Jul 07)
- Re: CloudFlare issues? Matt Corallo (Jul 06)
- <Possible follow-ups>
- Re: CloudFlare issues? Francois Lecavalier (Jul 04)
- Re: CloudFlare issues? Job Snijders (Jul 04)
- Re: CloudFlare issues? Ben Maddison via NANOG (Jul 04)
- Re: CloudFlare issues? Mark Tinka (Jul 04)
- RE: CloudFlare issues? Francois Lecavalier (Jul 04)
- Re: CloudFlare issues? Ben Maddison via NANOG (Jul 04)
- Re: CloudFlare issues? Job Snijders (Jul 04)
- Re: CloudFlare issues? Job Snijders (Jul 04)
- Re: CloudFlare issues? Mark Tinka (Jul 04)
- Re: CloudFlare issues? Job Snijders (Jul 04)
- Re: CloudFlare issues? i3D.net - Martijn Schmidt via NANOG (Jul 04)