On 06/05/2013 08:31, Adam Vitkovsky wrote:
Well you can always jus lower the preference for a particular prefix based on the roa state or roa missing. Than it is solely up to your customers whether they bother to register their prefixes to avoid hijacks or not, as you'll be ready on your part.
yep, you can depref stuff but it won't necessarily do what you want. E.g. if someone in Iran decides to announce a more-specific for some prefix in germany: https://twitter.com/bgpmon/status/330777020395040768 then the roa validation process would return "invalid". If you depref this, the more-specific will still provide the best path, so it's pretty useless. The only way to handle this is to drop roa-invalid paths completely, but it's not going to be possible to implement that as a general routing policy until the rpki data is pretty good quality overall. Nick