Re: Hurricane Electric has reached 0 RPKI INVALIDs in our routing table

Radu-Adrian Feurdean nanog at
Sun Jun 21 09:50:18 UTC 2020


On Thu, Jun 18, 2020, at 04:01, Jon Lewis wrote:
> Just like I said, if you create an ROA for an aggregate, forgetting that 
> you have customers using subnets of that aggregate (or didn't create ROAs 
> for customer subnets with the right origin ASNs), you're literally telling 
> those using RPKI to verify routes "don't accept our customers' routes." 
> That might not be bad for "your network", but it's probably bad for 
> someone's.

That makes you a bad upstream operator, one that does things without understanding the consequences. This may still be the unfortunate norm, but it's by no means something to be considered an acceptable state.

Put otherwise : if you have downstream customers that you allow to announce part of your address space in the GRT, make sure you can still provide the service after doing changes (like RPKI signing).

Put in a yet another way : if you lease IP space (with or without connectivity), make sure all the additional services are included in a way or another. Those services should include RPKI signing and reverse DNS, and the strict minimum (only slightly better than not doing it at all) should be via "open a service ticket"; the more automated the better.

More information about the NANOG mailing list