There are a lot of ROAs out there that make it EASIER to hijack a route rather than harder. If you register an ROA for a route and also advertise that route in BGP, then an attacker who prepends your ASN has to at least compete with your route with an AS_PATH length and will lose in most of the Internet (but not all of it). However, if you don't advertise the route, then the attacker has nothing to compete with and his prepended route will be accepted as RPKI valid everywhere. Remember max_length in a ROA. All routes covered by that max_length will be considered valid by RPKI if the origin ASN matches. If you don't advertise them all, then you are just making it EASIER for an attacker to hijack them. For example if you have an ROA for 10.1.0.0/16, max_length 17, that includes the routes: 10.1.0.0/16 10.1.0.0/17 10.1.128.0/17 If you don't advertise all those routes in BGP, they are open to being hijacked and considered RPKI valid. OTOH, if you register the ROA as 10.1.0.0/16 max_length 16, then anyone who tries to advertise 10.1.0.0/17 will have their advertisement rejected as RPKI invalid. I'm aware that people create ROAs for more specifics in case they need to advertise them to break a hijack. But then the hijacker could just advertise the longest prefix allowed by the ROA. You can't break that with a yet more specific. Unless the user of the route is not validating with RPKI. It's a conundrum. Regards, Jakob.