nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: AT&T/as7018 now drops invalid prefixes from peers

From: Jay Borkenhagen <jayb () braeburn org>
Date: Thu, 14 Feb 2019 14:10:08 -0500
Congrats Jay, this is awesome news!


Thanks, Alex!


I’m interested to hear what is preventing you from creating ROAs for all of your announcements. 


We will publish more ROAs over time.  Thusfar we have been utilizing
ARIN's hosted model, but down the road ARIN's delegated model will be
in our future.


What are your main drivers for wanting to move to the delegated model?


We can publish ROAs immediately for aggregate address blocks that we
have been allocated if all routes are originated only by our network.
But for our address allocations within which we have further assigned
sub-blocks to our customers as PA space where we allow multihoming
(e.g. within 12.0.0.0/8), we need to offer our downstream customers
the ability to publish ROAs for their specific portions first before
we publish a ROA for the aggregate, or else we'll make their
announcements become invalid.

Setting up that ability for our customers to publish ROAs for the PA
space they receive from us will require tight integration with our
customer software support systems, and perhaps also with our own
certificate authority -- thus the delegated model.

BTW: Alex, do you know where one might be able to get RPKI CA
software? :-)

Thanks.

                                                Jay B.
Previous By Date Next
Previous By Thread Next

Current thread: