On 23.6.2021. 12:09, Claudio Jeker wrote: > On Wed, Jun 23, 2021 at 11:40:25AM +0200, Hrvoje Popovski wrote: >> Hi all, >> >> fist of all, thank you for rpki-client, it's so easy to use it and to >> get the job done. >> I'm playing with rpki-client and denying ovs invalid statement and I've >> seen that with default ovs config statement (deny from ebgp ovs invalid) >> BLACKHOLE routes are blocked/invalid. >> >> What is the right way to allow BLACKHOLE routes through rpki ? Or if >> someone can give me a hint on what to do. >> > > BLACKHOLE routes normally have a more specific check so you can re-allow > them back after the ovs invalid check (for that you need to take away the > quick from the default ruleset or actually allow quick the blackholes > before). > > I guess you can use something along the lines of: > allow quick from group clients inet prefixlen 32 community $BLACKHOLE set > nexthop blackhole > allow quick from group clients inet6 prefixlen 128 community $BLACKHOLE set > nexthop blackhole > > I guess you also have some client prefix-sets that should be added to the > filter rule so that one client can not blackhole for another. > > BLACKHOLE routes are done in many ways and I'm not sure if there is > consensus who is allowed to announce what. Also if there are multiple > paths to the destination should the blackhole only be active if the > covering route is from the same peer? >
Thank you guys for rpki-client. Now we have block invalids in cix and blackhole routes still works :) Thank you ..
