Dear W. Boot, On Thu, Apr 01, 2021 at 12:38:27PM +0200, W. Boot wrote:
Would "invalid" also include unsigned space?
No. By definition, unsigned space can never ever be "RPKI invalid". In order for any BGP route to be marked as "RPKI invalid", a RPKI ROA _MUST_ exist. Without covering ROAs, BGP routes cannot be "RPKI invalid".
If it does, that might lead to legacy space or networks getting space through certain NIRs to be accidentally being blocked by whomever relying on this, unless these blocks can be exempt from inclusion?
Luckily it doesn't! :-) Operators who use RPKI to perform BGP Route Origin Validation, do so to to detect & reject invalid routes. As mentioned above, BGP routes can only be recognized as 'invalid' if and only if a covering ROA exists. Complete and simple configuration examples can be found here: http://bgpfilterguide.nlnog.net/guides/reject_invalids/ By exclusively focussing on "RPKI invalid" BGP routes, RPKI ROV is incrementally deployable. Incremental deployability is a key factor. Kind regards, Job