Tue, Nov 01, 2022 at 12:01:46PM -0400, Jon Lewis:
> One danger with RPKI, is shooting yourself (or customers) in the foot by
> creating too general a ROA. i.e. Suppose you have an ARIN /20. You have
> a multihomed customer to whom you've assigned a /24 from your /20. You
> create a ROA for the /20 saying your ASN is authorized to originate your
> /20. Now that customer /24 has become an RPKI-invalid, and the customer
> may find that their other provider is filtering their /24 advertisement.
ie: you must also create roa(s) for your bgp customer's more specific(s) of
your aggregate.