RE: deploying RPKI based Origin Validation

[Michel Py <michel.py () tsisemi com>]

> Job Snijders wrote :
> Can you elaborate what routers with what software you are using? It surprises
> me a bit to find routers anno 2018 which can't do OV in some shape or form.

They're not anno 2018 ! Cisco 3900 with 4 Gigs. Good enough for me, with the current growth of the DFZ I may have 10 
years left before I need to upgrade. Probably will upgrade before that caused to bandwidth, but as of now works good 
enough for me and upgrading just to get OV is going to be a tough sell.

> > What do I have left : using a subset of RPKI as a blackhole :-(
> If you implement 'invalid == blackhole', and cannot do normal OV - it seems to me that
> you'll be blackholing the actual victim of a BGP hijack? That would seem counter-productive.

I would indeed, but the intent was a subset of invalid : the invalid prefixes that nobody _but_ the hijacker anounces, 
so blackholing does not hurt the real owner.
In other words : un-announced prefixes that have been hijacked. These are not into bogon lists because they are real.

Now I have no illusions : this is not going to solve the world's problems, how many of these are actually announced and 
how will that play in the longer term are questionable, but would not that be worth a quick shot at it ?

Michel.