question about enabling RPKI using Hosted mode

• Previous message (by thread): question about enabling RPKI using Hosted mode
• Next message (by thread): question about enabling RPKI using Hosted mode
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear Edvinas,

On Mon, Oct 25, 2021 at 11:49:09PM +0300, Edvinas Kairys wrote:
> We're thinking of enabling BGP ROA, because more and more ISPs are using
> strict RPKI mode.
> 
> Does enabling Hosted Mode (where it doesn't requires any additional
> configuration on client end) on RPKI could for some reason could cause a
> traffic loss ?
> 
> The only disasterious scenario i could think of, is if we would enable ROA
> with incorrect sub prefixes, maximum prefix length. Am i Right ?

I think you correctly identified most of the potential pitfalls. Another
pitfall might be when a typo in the Origin AS value slips into the RPKI ROA.

For example, I originate 2001:67c:208c::/48 in the DFZ from AS 15562.
Should I'd accidentally modify the covering ROA to only permit AS 15563,
the planet's connectivity towards 2001:67c:208c::/48 would become
spotty.

So... - BEFORE - creating RPKI ROAs, I recommend setting up a BGP/RPKI
monitoring tool. NTT's excellent BGPAlerter might be useful in this
context: https://github.com/nttgin/BGPalerter

Don't deploy things without monitoring! :-)

Kind regards,

Job

• Previous message (by thread): question about enabling RPKI using Hosted mode
• Next message (by thread): question about enabling RPKI using Hosted mode
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]