1 Nov
2022
1 Nov
'22
12:07 p.m.
Tue, Nov 01, 2022 at 12:01:46PM -0400, Jon Lewis:
One danger with RPKI, is shooting yourself (or customers) in the foot by creating too general a ROA. i.e. Suppose you have an ARIN /20. You have a multihomed customer to whom you've assigned a /24 from your /20. You create a ROA for the /20 saying your ASN is authorized to originate your /20. Now that customer /24 has become an RPKI-invalid, and the customer may find that their other provider is filtering their /24 advertisement.
ie: you must also create roa(s) for your bgp customer's more specific(s) of your aggregate.