nanog@lists.nanog.org (Eric C. Miller via NANOG) wrote:
My understanding is that you should publish ROAs for exactly what you want to see in the DFZ. The max-length value has some value, but it's an attack vector that must be properly managed. In my case, we plan to advertise a /22 from each POP, so we publish a ROA with a.b.c.0/22, omitting the max-length. If I need to de-aggregate a specific prefix for any reason, I'll create a new ROA with the specific prefix.
Seconded. We also do that, and we try to always push all the prefixes that fall under that ROA's claim, so we know they're in the DFZ in full glory. Which also means we try to not publish too broad a ROA (can't be avoided sometimes). I am, alas, surprised that ROAs work so well. If I - speaking theoretically! - were to hijack a network, and I was happy to only get *part* of the traffic, I'd know what to do. I would need a transit ISP that does no BCP38 though, and I REALLY hope those get fewer and fewer, but currently these ISPs exist, and *that* is the problem. The real remedy, of course, is MANRS. Promote. Elmar.