In general, you want to create suitable ROAs for the most specific routes that will be advertised first. Suppose you have a /20 from ARIN. You plan to take a /24 from that /20 to AWS. From what you've said, all you need is a ROA for the /24 you're taking to AWS, saying it can be originated by whatever ASN will be originating it at AWS. One danger with RPKI, is shooting yourself (or customers) in the foot by creating too general a ROA. i.e. Suppose you have an ARIN /20. You have a multihomed customer to whom you've assigned a /24 from your /20. You create a ROA for the /20 saying your ASN is authorized to originate your /20. Now that customer /24 has become an RPKI-invalid, and the customer may find that their other provider is filtering their /24 advertisement. On Tue, 1 Nov 2022, Alex Band wrote:
Creating ROAs for *all* the announcements that are done with your prefixes, both on your own AS and the ones announced by AWS, is probably the best way forward from both a routing security and ease-of-management perspective.
-Alex
On 28 Oct 2022, at 17:00, Samuel Jackson <bobin.public@gmail.com> wrote:
Hello, I am new to RPKI/ROA and still learning about RPKI. From all my reading on ARIN's documents I am not able to answer some of my questions. We have a public ARIN block and advertise smaller subnets from that to our ISP's. We do not have any RPKI configs. We need to setup ROA's to take another subnet from the ARIN block to AWS. Reading ARIN's docs, it seems I need to get setup on their Hosted RPKI service after which I can configure ROA's for the networks I am taking to AWS.
My question is, will this impact my existing advertisements to my ISP's. The current advertisements do not have ROA's. Will having RPKI for my ARIN network, without ROA's for the existing advertisements impact me?
Thanks for your help.
Ref: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html https://www.arin.net/resources/manage/rpki/roa_request/ https://www.arin.net/resources/manage/rpki/hosted/
---------------------------------------------------------------------- Jon Lewis, MCP :) | I route StackPath, Sr. Neteng | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________