Re: Hurricane Electric has reached 0 RPKI INVALIDs in our routing table
nanog at radu-adrian.feurdean.net
Sun Jun 21 09:50:18 UTC 2020
On Thu, Jun 18, 2020, at 04:01, Jon Lewis wrote:
> Just like I said, if you create an ROA for an aggregate, forgetting that
> you have customers using subnets of that aggregate (or didn't create ROAs
> for customer subnets with the right origin ASNs), you're literally telling
> those using RPKI to verify routes "don't accept our customers' routes."
> That might not be bad for "your network", but it's probably bad for
That makes you a bad upstream operator, one that does things without understanding the consequences. This may still be the unfortunate norm, but it's by no means something to be considered an acceptable state.
Put otherwise : if you have downstream customers that you allow to announce part of your address space in the GRT, make sure you can still provide the service after doing changes (like RPKI signing).
Put in a yet another way : if you lease IP space (with or without connectivity), make sure all the additional services are included in a way or another. Those services should include RPKI signing and reverse DNS, and the strict minimum (only slightly better than not doing it at all) should be via "open a service ticket"; the more automated the better.
More information about the NANOG