On 6/Jul/19 23:44, Matt Corallo wrote:
On my test net I take ROA_INVALIDs and convert them to unreachables with a low preference (ie so that any upstreams taking only the shorter path will be selected, but so that such packets will never be routed).
Obviously this isn't a well-supported operation, but I'm curious what people think of such an approach? If you really want to treat ROA_INVALID as "this is probably a hijack", you don't really want to be sending the hijacker traffic.
If a prefixe's RPKI state is Invalid, drop it! Simple. In most cases, it's a mistake due to a mis-configuration and/or a lack of deep understanding of RPKI. In fewer cases, it's an actual hijack. Either way, dropping the Invalid routes keeps the BGP clean and quickly encourages the originating network to get things fixed. As you point out, RPKI state validation is locally-significant, with protection extending to downstream customers only. So for this to really work, it needs critical mass. One, two, three, four or five networks implementing ROV and dropping Invalids does not a secure BGP make. Mark.