On Wed, 17 Jun 2020, Richa wrote:
Job,
RPKI ROA creation is a big hammer. Everyone needs to think carefully about each ROA they create and if it will positively or negatively impact their network.
Could you please shed some more light on the above?
How would ROA negatively impact if ROA(s) is created such that the entire prefix set is covered?
Just like I said, if you create an ROA for an aggregate, forgetting that you have customers using subnets of that aggregate (or didn't create ROAs for customer subnets with the right origin ASNs), you're literally telling those using RPKI to verify routes "don't accept our customers' routes." That might not be bad for "your network", but it's probably bad for someone's. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route StackPath, Sr. Neteng | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________