question about enabling RPKI using Hosted mode

Tue Oct 26 13:30:13 UTC 2021

Thus spake Edvinas Kairys (edvinas.email at gmail.com) on Tue, Oct 26, 2021 at 10:11:14AM +0300:
> 
> Also, about ROA expirations is it possible to configure an automatic ROA
> extension after it's expires ?

Well, you probably hit one of the next biggest operational issues, 
so congrats ;-).  

If you are in the ARIN region you might want to track the process
for ACSP Suggestion 2021.15 

https://www.arin.net/participate/community/acsp/suggestions/2021/2021-15/

If you are in another regions you can see the differences here:
https://rpki.readthedocs.io/en/latest/rpki/implementation-models.html?highlight=renew#functional-differences-across-rirs

Dale

> On Tue, Oct 26, 2021 at 12:35 AM Job Snijders <job at fastly.com> wrote:
> 
> > Dear Edvinas,
> >
> > On Mon, Oct 25, 2021 at 11:49:09PM +0300, Edvinas Kairys wrote:
> > > We're thinking of enabling BGP ROA, because more and more ISPs are using
> > > strict RPKI mode.
> > >
> > > Does enabling Hosted Mode (where it doesn't requires any additional
> > > configuration on client end) on RPKI could for some reason could cause a
> > > traffic loss ?
> > >
> > > The only disasterious scenario i could think of, is if we would enable
> > ROA
> > > with incorrect sub prefixes, maximum prefix length. Am i Right ?
> >
> > I think you correctly identified most of the potential pitfalls. Another
> > pitfall might be when a typo in the Origin AS value slips into the RPKI
> > ROA.
> >
> > For example, I originate 2001:67c:208c::/48 in the DFZ from AS 15562.
> > Should I'd accidentally modify the covering ROA to only permit AS 15563,
> > the planet's connectivity towards 2001:67c:208c::/48 would become
> > spotty.
> >
> > So... - BEFORE - creating RPKI ROAs, I recommend setting up a BGP/RPKI
> > monitoring tool. NTT's excellent BGPAlerter might be useful in this
> > context: https://github.com/nttgin/BGPalerter
> >
> > Don't deploy things without monitoring! :-)
> >
> > Kind regards,
> >
> > Job
> >