[AusNOG] Experiences with RPKI
Md Abdul Awal
awal at psg.com
Thu May 23 16:07:16 AEST 2024
Hi Joe,
Great work on ROA and RPKI.
Like you said, it is recommended to create ROAs for the prefixes that you advertise. In other words, create minimum number of ROAs to cover the exact prefixes that you advertise to avoid “Validated Hijack”.
> On 23 May 2024, at 3:46 PM, Joseph Goldman <joseph at goldman.id.au> wrote:
>
> i.e. say we had /22 ROA, 2x /23 ROAs and 4x /24 ROAs - are currently advertising the /22 and 2x /24's, so 2x /23's and 2x /24 ROAs are 'unused' in that we are not advertising those specific resources - would that cause issues with strict validators out in the wild?
>
> My understanding reading through the RFC's is this should not be the case. If any ROA that matches the prefix for the origin AS exists it should be valid, regardless of other ROAs signed by the same resource holder etc.
In the given example, there will be no issue in terms of validation. The announcements are covered by the ROAs and are valid, so they will be accepted, doesn’t matter whether the ROA covers other prefixes or ranges that are not visible in the global routing table.
Cheers,
Abdul Awal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20240523/f112dde2/attachment.htm>
More information about the AusNOG
mailing list