Re: CloudFlare issues?

[Mark Tinka <mark.tinka () seacom mu>]

On 6/Jul/19 23:44, Matt Corallo wrote:
> On my test net I take ROA_INVALIDs and convert them to unreachables with
> a low preference (ie so that any upstreams taking only the shorter path
> will be selected, but so that such packets will never be routed).
>
> Obviously this isn't a well-supported operation, but I'm curious what
> people think of such an approach? If you really want to treat
> ROA_INVALID as "this is probably a hijack", you don't really want to be
> sending the hijacker traffic.

If a prefixe's RPKI state is Invalid, drop it! Simple.

In most cases, it's a mistake due to a mis-configuration and/or a lack
of deep understanding of RPKI. In fewer cases, it's an actual hijack.

Either way, dropping the Invalid routes keeps the BGP clean and quickly
encourages the originating network to get things fixed.

As you point out, RPKI state validation is locally-significant, with
protection extending to downstream customers only. So for this to really
work, it needs critical mass. One, two, three, four or five networks
implementing ROV and dropping Invalids does not a secure BGP make.

Mark.