Hurricane Electric has reached 0 RPKI INVALIDs in our routing table
Jon Lewis
jlewis at lewis.org
Thu Jun 18 02:01:04 UTC 2020
On Wed, 17 Jun 2020, Richa wrote:
> Job,
>
>
>> RPKI ROA creation is a big hammer. Everyone needs to think carefully
>> about each ROA they create and if it will positively or negatively
>> impact their network.
>
> Could you please shed some more light on the above?
>
> How would ROA negatively impact if ROA(s) is created such that the entire prefix set is covered?
Just like I said, if you create an ROA for an aggregate, forgetting that
you have customers using subnets of that aggregate (or didn't create ROAs
for customer subnets with the right origin ASNs), you're literally telling
those using RPKI to verify routes "don't accept our customers' routes."
That might not be bad for "your network", but it's probably bad for
someone's.
----------------------------------------------------------------------
Jon Lewis, MCP :) | I route
StackPath, Sr. Neteng | therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the NANOG
mailing list