Thanks everyone for your inputs. So bottomline setup RPKI and setup ROA's for all our subnets being advertised.
Much of this is legacy and has too many unknowns, being handed down networks without documentation also does not help.

Thanks,
Sam


On Tue, Nov 1, 2022 at 9:07 AM heasley <heas@shrubbery.net> wrote:
Tue, Nov 01, 2022 at 12:01:46PM -0400, Jon Lewis:
> One danger with RPKI, is shooting yourself (or customers) in the foot by
> creating too general a ROA.  i.e. Suppose you have an ARIN /20.  You have
> a multihomed customer to whom you've assigned a /24 from your /20.  You
> create a ROA for the /20 saying your ASN is authorized to originate your
> /20.  Now that customer /24 has become an RPKI-invalid, and the customer
> may find that their other provider is filtering their /24 advertisement.

ie: you must also create roa(s) for your bgp customer's more specific(s) of
your aggregate.