On 13/Jul/18 14:43, Job Snijders wrote:
Have you considered applying "invalid == reject" on just transit/peering sessions rather than customer sessions as an intermediate step? I bet most misconfigurations or hijacks didn't come in via your customers.
Yes, we did. The issue is some of our customers did ROA their aggregates, but not the more-specifics. We didn't want to get into a situation where we had to custom-design templates depending on what RPKI mood the customer was in :-). But yes, the majority of the issue was with routes learned from peers and transit. That, though, still leaves the problem where you end up providing a partial routing table to your customers, while your competitors in the same market aren't. Most customers that aren't keen on IPv6 or DNSSEC treat RPKI the same way - as a nuisance. So trying to speak sense into them would be a more treacherous road to take than just turning it off until we get wider support within the BGP operational community. Mark.