question about enabling RPKI using Hosted mode

Edvinas Kairys edvinas.email at gmail.com
Tue Oct 26 07:11:14 UTC 2021


thanks, will keep in mind.

Also, about ROA expirations is it possible to configure an automatic ROA
extension after it's expires ?

On Tue, Oct 26, 2021 at 12:35 AM Job Snijders <job at fastly.com> wrote:

> Dear Edvinas,
>
> On Mon, Oct 25, 2021 at 11:49:09PM +0300, Edvinas Kairys wrote:
> > We're thinking of enabling BGP ROA, because more and more ISPs are using
> > strict RPKI mode.
> >
> > Does enabling Hosted Mode (where it doesn't requires any additional
> > configuration on client end) on RPKI could for some reason could cause a
> > traffic loss ?
> >
> > The only disasterious scenario i could think of, is if we would enable
> ROA
> > with incorrect sub prefixes, maximum prefix length. Am i Right ?
>
> I think you correctly identified most of the potential pitfalls. Another
> pitfall might be when a typo in the Origin AS value slips into the RPKI
> ROA.
>
> For example, I originate 2001:67c:208c::/48 in the DFZ from AS 15562.
> Should I'd accidentally modify the covering ROA to only permit AS 15563,
> the planet's connectivity towards 2001:67c:208c::/48 would become
> spotty.
>
> So... - BEFORE - creating RPKI ROAs, I recommend setting up a BGP/RPKI
> monitoring tool. NTT's excellent BGPAlerter might be useful in this
> context: https://github.com/nttgin/BGPalerter
>
> Don't deploy things without monitoring! :-)
>
> Kind regards,
>
> Job
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20211026/82bf9116/attachment.html>


More information about the NANOG mailing list