Understanding impact of RPKI and ROA on existing advertisements

• Previous message (by thread): Understanding impact of RPKI and ROA on existing advertisements
• Next message (by thread): Understanding impact of RPKI and ROA on existing advertisements
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks everyone for your inputs. So bottomline setup RPKI and setup ROA's
for all our subnets being advertised.
Much of this is legacy and has too many unknowns, being handed down
networks without documentation also does not help.

Thanks,
Sam


On Tue, Nov 1, 2022 at 9:07 AM heasley <heas at shrubbery.net> wrote:

> Tue, Nov 01, 2022 at 12:01:46PM -0400, Jon Lewis:
> > One danger with RPKI, is shooting yourself (or customers) in the foot by
> > creating too general a ROA.  i.e. Suppose you have an ARIN /20.  You
> have
> > a multihomed customer to whom you've assigned a /24 from your /20.  You
> > create a ROA for the /20 saying your ASN is authorized to originate your
> > /20.  Now that customer /24 has become an RPKI-invalid, and the customer
> > may find that their other provider is filtering their /24 advertisement.
>
> ie: you must also create roa(s) for your bgp customer's more specific(s) of
> your aggregate.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20221101/6535784f/attachment.html>

• Previous message (by thread): Understanding impact of RPKI and ROA on existing advertisements
• Next message (by thread): Understanding impact of RPKI and ROA on existing advertisements
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]