On Oct 11, 2023, at 18:53, Willy Manga <mangawilly@gmail.com> wrote:
. On 11/10/2023 22:29, Delong.com wrote:
[...]
Yes, but in that scenario any advertisements between /32 and /36 from that prefix originated by AS65500 are *valid* . That's why "ROAs should be as precise as possible, meaning they should match prefixes as announced in BGP" [1] You completely ignored my statement of the need for appropriate AS-0 ROAs to block those.
I did not want to comment because you can go down that path *and* you will assume everyone doing ROV will consider AS0 ROAs as well.
Well, true, but AIUI, if you’re processing ROAs, one with AS0 must be considered as making every matching prefix “Invalid”. In fact, even if one doesn’t treat AS0 as a special case in an RPKI validator, AS0 isn’t going to match the origin AS for any route you see, or your router and all of the routers between you and the origin router are truly broken.
IMHO the bare minimum is to cover your advertisements with a ROA as precise as possible.
Agree, but in the case where you have to advertise some more specifics, as in the example I provided, then if I understand things correctly, you can’t be that precise and that’s why I provided the AS0 based solution for the invalid more specifics. Owen