nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Understanding impact of RPKI and ROA on existing advertisements

From: heasley <heas () shrubbery net>
Date: Tue, 1 Nov 2022 16:07:15 +0000
Tue, Nov 01, 2022 at 12:01:46PM -0400, Jon Lewis:

One danger with RPKI, is shooting yourself (or customers) in the foot by 
creating too general a ROA.  i.e. Suppose you have an ARIN /20.  You have 
a multihomed customer to whom you've assigned a /24 from your /20.  You 
create a ROA for the /20 saying your ASN is authorized to originate your 
/20.  Now that customer /24 has become an RPKI-invalid, and the customer 
may find that their other provider is filtering their /24 advertisement.


ie: you must also create roa(s) for your bgp customer's more specific(s) of
your aggregate.
Previous By Date Next
Previous By Thread Next

Current thread: