On Wed, Jun 23, 2021 at 11:40:25AM +0200, Hrvoje Popovski wrote: > Hi all, > > fist of all, thank you for rpki-client, it's so easy to use it and to > get the job done. > I'm playing with rpki-client and denying ovs invalid statement and I've > seen that with default ovs config statement (deny from ebgp ovs invalid) > BLACKHOLE routes are blocked/invalid. > > What is the right way to allow BLACKHOLE routes through rpki ? Or if > someone can give me a hint on what to do. >
BLACKHOLE routes normally have a more specific check so you can re-allow them back after the ovs invalid check (for that you need to take away the quick from the default ruleset or actually allow quick the blackholes before). I guess you can use something along the lines of: allow quick from group clients inet prefixlen 32 community $BLACKHOLE set nexthop blackhole allow quick from group clients inet6 prefixlen 128 community $BLACKHOLE set nexthop blackhole I guess you also have some client prefix-sets that should be added to the filter rule so that one client can not blackhole for another. BLACKHOLE routes are done in many ways and I'm not sure if there is consensus who is allowed to announce what. Also if there are multiple paths to the destination should the blackhole only be active if the covering route is from the same peer? -- :wq Claudio
