nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Understanding impact of RPKI and ROA on existing advertisements

From: Samuel Jackson <bobin.public () gmail com>
Date: Tue, 1 Nov 2022 11:46:04 -0700
Thanks everyone for your inputs. So bottomline setup RPKI and setup ROA's
for all our subnets being advertised.
Much of this is legacy and has too many unknowns, being handed down
networks without documentation also does not help.

Thanks,
Sam


On Tue, Nov 1, 2022 at 9:07 AM heasley <heas () shrubbery net> wrote:


Tue, Nov 01, 2022 at 12:01:46PM -0400, Jon Lewis:

One danger with RPKI, is shooting yourself (or customers) in the foot by
creating too general a ROA.  i.e. Suppose you have an ARIN /20.  You

have

a multihomed customer to whom you've assigned a /24 from your /20.  You
create a ROA for the /20 saying your ASN is authorized to originate your
/20.  Now that customer /24 has become an RPKI-invalid, and the customer
may find that their other provider is filtering their /24 advertisement.


ie: you must also create roa(s) for your bgp customer's more specific(s) of
your aggregate.
Previous By Date Next
Previous By Thread Next

Current thread: