Signaling Prefix Origin Validation Results from a Route-Server to Peers

RPKI-based prefix origin validation can be a significant operational burden for BGP peers to implement and adopt. In order to boost acceptance and usage of prefix origin validation and ultimately increase the security of the Internet routing system, IXPs may provide RPKI-based prefix origin validation at the route-server . The result of this prefix origin validation is signaled to peers by using the BGP Prefix Origin Validation State Extended Community as introduced in . Peers receiving the prefix origin validation result from the route-server(s) can use this information in their local routing decision process for acceptance, rejection, preference, or other traffic engineering purposes of a particular route.

The BGP Prefix Origin Validation State Extended Community (as defined in ) is utilized for signaling prefix origin validation result from a route-server to peers. proposes an encoding of the prefix origin validation result as follows: Value Meaning 0Valid 1Not found 2Invalid This encoding is re-used. Route-servers providing RPKI-based prefix origin validation set the validation state according to the prefix origin validation result (see ).

A peer receiving prefix origin validation results from the route server MAY use the information in its own local routing decision process. The local routing decision process SHOULD apply to the rules as described in section 5. A peer receiving a prefix origin validation result from the route server MAY redistribute this information within its own AS.

An IXP route-server receiving routes from its peers containing the BGP Prefix Origin Validation State Extended Community MUST remove the extended community before the route is re-distributed to its peers. This is required regardless of whether the route-server is executing prefix origin validation or not. Failure to do so would allow opportunistic peers to advertise routes tagged with arbitrary prefix origin validation results via a route-server, influencing maliciously the decision process of other route-server peers.

In case information about the validity of a BGP prefix origin is not available at the route-server (e.g., error in the ROA cache, CPU overload) the route-server MUST NOT add the BGP Prefix Origin Validation State Extended Community to the route.

A route sent by a route-server SHOULD only contain none or one BGP Prefix Origin Validation State Extended Community. A peer receiving a route from a route-server containing more than one BGP Prefix Origin Validation State Extended Community SHOULD only consider the largest value (as described in ) in the validation result field and disregard the other values. Values larger than two in the validation result field MUST be disregarded.

None. The IANA is requested to register the value 0x02 for the low-order octet of the extended type in the non-transitive range for the concept described in this document. The extended community should be called "Route-server RPKI validation result extended community". -->

A route-server could be misused to spread malicious prefix origin validation results. However, peers have to trust the route-server anyway as it collects and redistributes BGP routing information to other peers. The introduction of a mechanisms described in this document does not pose a new class of attack vectors to the relationship between route-servers and peers.