question about enabling RPKI using Hosted mode

• Previous message (by thread): question about enabling RPKI using Hosted mode
• Next message (by thread): Guam Private Line
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks, i'm happy that my RIR is RIPE. I hope other RIRs will make
auto-renew as well.

On Tue, Oct 26, 2021 at 4:30 PM Dale W. Carder <dwcarder at es.net> wrote:

> Thus spake Edvinas Kairys (edvinas.email at gmail.com) on Tue, Oct 26, 2021
> at 10:11:14AM +0300:
> >
> > Also, about ROA expirations is it possible to configure an automatic ROA
> > extension after it's expires ?
>
> Well, you probably hit one of the next biggest operational issues,
> so congrats ;-).
>
> If you are in the ARIN region you might want to track the process
> for ACSP Suggestion 2021.15
>
> https://www.arin.net/participate/community/acsp/suggestions/2021/2021-15/
>
> If you are in another regions you can see the differences here:
>
> https://rpki.readthedocs.io/en/latest/rpki/implementation-models.html?highlight=renew#functional-differences-across-rirs
>
> Dale
>
> > On Tue, Oct 26, 2021 at 12:35 AM Job Snijders <job at fastly.com> wrote:
> >
> > > Dear Edvinas,
> > >
> > > On Mon, Oct 25, 2021 at 11:49:09PM +0300, Edvinas Kairys wrote:
> > > > We're thinking of enabling BGP ROA, because more and more ISPs are
> using
> > > > strict RPKI mode.
> > > >
> > > > Does enabling Hosted Mode (where it doesn't requires any additional
> > > > configuration on client end) on RPKI could for some reason could
> cause a
> > > > traffic loss ?
> > > >
> > > > The only disasterious scenario i could think of, is if we would
> enable
> > > ROA
> > > > with incorrect sub prefixes, maximum prefix length. Am i Right ?
> > >
> > > I think you correctly identified most of the potential pitfalls.
> Another
> > > pitfall might be when a typo in the Origin AS value slips into the RPKI
> > > ROA.
> > >
> > > For example, I originate 2001:67c:208c::/48 in the DFZ from AS 15562.
> > > Should I'd accidentally modify the covering ROA to only permit AS
> 15563,
> > > the planet's connectivity towards 2001:67c:208c::/48 would become
> > > spotty.
> > >
> > > So... - BEFORE - creating RPKI ROAs, I recommend setting up a BGP/RPKI
> > > monitoring tool. NTT's excellent BGPAlerter might be useful in this
> > > context: https://github.com/nttgin/BGPalerter
> > >
> > > Don't deploy things without monitoring! :-)
> > >
> > > Kind regards,
> > >
> > > Job
> > >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20211027/d5c56588/attachment.html>

• Previous message (by thread): question about enabling RPKI using Hosted mode
• Next message (by thread): Guam Private Line
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]