RPKI isn't the whole picture. It's about validating ORIGIN-AS. The rest of IRR is still relevant when it comes to protecting the AS-PATH. Hijacked prefixes of the same size won't travel as far nowadays because of widespread adoption amongst the larger providers. Eric ________________________________ From: Laszlo H via NANOG <nanog@lists.nanog.org> Sent: Thursday, May 15, 2025 4:59 PM To: Aaron Gould via NANOG <nanog@lists.nanog.org> Cc: Laszlo H <laszlo@heliacal.net> Subject: Re: rpki roa irr - i now believe If the goal of someone were to hijack your routing, they could (should) announce it using your ASN and thus it would still be RPKI valid? On 2025-05-15 16:26, Aaron Gould via NANOG wrote:
ok ok, now I understand and am a believer!
some of our address space was hijacked. i did the arin.net roa entries, and BAM-O... moments later, all my routes are validated and the erroneous hijacked routes are gone!
love it
wanted to share and emphasize to others, if you don't have your prefixes protected at your RIR (ARIN), do it. it only takes a few minutes.
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/KK57NLCH...