[RPKI-Discuss] [routing-wg] RPKI Route Origin Validation on RIPE NCC Network
Carlos M. Martinez
carlosm3011 at gmail.com
Thu Jun 3 18:18:06 UTC 2021
Hi Patrick!
On 3 Jun 2021, at 15:01, Patrick Okui wrote:
> In general I feel that organisations that publish RPKI data should
> also reject invalids, or we end up possibly passing on hijacked
> announcements which we set out to stop in the first place.
It depends on whether it makes sense to reject invalids or not. I work
for LACNIC so I feel free to use my network as an example.
LACNIC operates two autonomous systems, 28000 and 28001. AS 28000 is our
network in Montevideo, Uruguay and 28001 is our POP in Sao Paulo,
Brazil.
AS 28000 (MVD), due to the limited nature of the telecom services we
have access to in Montevideo, does not receive full routing and thus
needs a default route. In this case, rejecting invalids makes no sense
and it’s actually irrelevant. We do reject invalids so we can measure
it, but in terms of traffic makes no difference whatsoever.
AS 28001 (GRU) does get full routing and peers to IX.br. In this case it
does make sense to reject invalids.
So, IMO, ROV (either rejecting invalids or doing what you think is
appropriate) is a distinct operation from creating ROAs and I believe
that at this point in time every resource holder should be creating
their ROAs, but implementing ROV is something that it might or might not
make sense to a particular network.
Hope this helps.
/Carlos
More information about the RPKI-Discuss
mailing list