I too was nervous going into it. But I can say everything was seamless. I didn’t see any glitch or downtime. Interestingly, now I understand many looking glass web pages and CLI-based route servers reflect the state of RPKI… with green, yellow, valid, etc. I did my ROA entries with the actual ARIN-assigned prefix length… (e.g. /19 … /32 …etc) and then added the optional MAX length, of /24 or /48, not fully understanding the dynamic of it other than assuming it means that, I can send routes as specific as that max length and still achieve RPKI validation using said ROA entries. Someone can confirm or deny or explain if my understanding is correct about that max length setting in the ROA entries. Aaron
On May 15, 2025, at 11:35 AM, Eric C. Miller <eric@ericheather.com> wrote:
I second this. I used to be scared of possibly going offline during the security filter updates, but I was given the advice to first get IRR route objects behind everything already advertised and then publish ROAs. ARIN's process is pretty slick that it auto-associates new ROAs with existing IRR routes.
Something to remember is that some of the larger tier providers only update their filter lists daily or bi-daily. From: Aaron Gould via NANOG <nanog@lists.nanog.org> Sent: Thursday, May 15, 2025 12:26 PM To: nanog@lists.nanog.org <nanog@lists.nanog.org> Cc: Aaron Gould <aaron1@gvtc.com> Subject: rpki roa irr - i now believe
ok ok, now I understand and am a believer!
some of our address space was hijacked. i did the arin.net roa entries, and BAM-O... moments later, all my routes are validated and the erroneous hijacked routes are gone!
love it
wanted to share and emphasize to others, if you don't have your prefixes protected at your RIR (ARIN), do it. it only takes a few minutes.
https://www.arin.net/resources/manage/rpki/roa_request/
-- -Aaron
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/PRA2CQTR...