question about enabling RPKI using Hosted mode

Job Snijders job at
Mon Oct 25 21:35:42 UTC 2021

Dear Edvinas,

On Mon, Oct 25, 2021 at 11:49:09PM +0300, Edvinas Kairys wrote:
> We're thinking of enabling BGP ROA, because more and more ISPs are using
> strict RPKI mode.
> Does enabling Hosted Mode (where it doesn't requires any additional
> configuration on client end) on RPKI could for some reason could cause a
> traffic loss ?
> The only disasterious scenario i could think of, is if we would enable ROA
> with incorrect sub prefixes, maximum prefix length. Am i Right ?

I think you correctly identified most of the potential pitfalls. Another
pitfall might be when a typo in the Origin AS value slips into the RPKI ROA.

For example, I originate 2001:67c:208c::/48 in the DFZ from AS 15562.
Should I'd accidentally modify the covering ROA to only permit AS 15563,
the planet's connectivity towards 2001:67c:208c::/48 would become

So... - BEFORE - creating RPKI ROAs, I recommend setting up a BGP/RPKI
monitoring tool. NTT's excellent BGPAlerter might be useful in this

Don't deploy things without monitoring! :-)

Kind regards,


More information about the NANOG mailing list