AT&T/as7018 now drops invalid prefixes from peers

Jay Borkenhagen jayb at
Thu Feb 14 19:10:08 UTC 2019

 > Congrats Jay, this is awesome news!

Thanks, Alex!

 > I’m interested to hear what is preventing you from creating ROAs for all of your announcements. 
 > > We will publish more ROAs over time.  Thusfar we have been utilizing
 > > ARIN's hosted model, but down the road ARIN's delegated model will be
 > > in our future.
 > > 
 > What are your main drivers for wanting to move to the delegated model?

We can publish ROAs immediately for aggregate address blocks that we
have been allocated if all routes are originated only by our network.
But for our address allocations within which we have further assigned
sub-blocks to our customers as PA space where we allow multihoming
(e.g. within, we need to offer our downstream customers
the ability to publish ROAs for their specific portions first before
we publish a ROA for the aggregate, or else we'll make their
announcements become invalid.

Setting up that ability for our customers to publish ROAs for the PA
space they receive from us will require tight integration with our
customer software support systems, and perhaps also with our own
certificate authority -- thus the delegated model.

BTW: Alex, do you know where one might be able to get RPKI CA
software? :-)


						Jay B.

More information about the NANOG mailing list