Thanks y’all. It’s interesting that routing works without RPKI. And if I put in my RIR-based ROA’s, it will invalidate any rouge advertisements…and now validate mine. Someone previously mentioned that if a bad actor tries to advertise a prefix with my AS as the origin (first “last” AS in the path list) that it could maybe circumvent RPKI…? I wouldn’t think it would be the easy. Or should I say I really hope it wouldn’t be that easy. Aaron
On May 17, 2025, at 10:57 PM, Job Snijders <job@sobornost.net> wrote:
On Thu, May 15, 2025 at 11:26:11AM -0500, Aaron Gould via NANOG wrote:
ok ok, now I understand and am a believer!
some of our address space was hijacked. i did the arin.net roa entries, and BAM-O... moments later, all my routes are validated and the erroneous hijacked routes are gone!
love it
had a similar experience at my previous employer: https://www.fastly.com/blog/war-story-rpki-is-working-as-intended
What used to be a large outage now ends up being no big deal
Kind regards,
Job