So while I will continue pushing for the rest of the world to create ROA's, turn on RPKI and enable ROV, I'll also advocate that operators continue to have both AS- and prefix-based filters. Not either/or, but both. Also, max-prefix as a matter of course.
This is the correct approach. We are a very long way from being able to flip the switch to say "everyone drop any RPKI UNKNOWN" , so in the meantime best practices for non-ROA covered prefixes still have to be done. On Fri, Jul 31, 2020 at 9:35 AM Mark Tinka <mark.tinka@seacom.com> wrote:
On 31/Jul/20 03:57, Aftab Siddiqui wrote:
Not a single prefix was signed, what I saw. May be good reason for Rogers, Charter, TWC etc to do that now. It would have stopped the propagation at Telia.
While I am a huge proponent for ROA's and ROV, it is a massive expectation to req filtering to work on the basis of all BGP participants creating their ROA's. It's what I would like, but there is always going to be a lag on this one.
If none of the prefixes had a ROA, no amount of Telia's shiny new "we drop invalids" machine would have helped, as we saw with this incident. ROV really only comes into its own when the majority of the Internet has correct ROA's setup. In the absence of that, it's a powerful but toothless feature.
So while I will continue pushing for the rest of the world to create ROA's, turn on RPKI and enable ROV, I'll also advocate that operators continue to have both AS- and prefix-based filters. Not either/or, but both. Also, max-prefix as a matter of course.
Mark.