Re: Hurricane Electric has reached 0 RPKI INVALIDs in our routing table
On Wed, 17 Jun 2020, Richa wrote:
Job,
RPKI ROA creation is a big hammer. Everyone needs to think carefully about each ROA they create and if it will positively or negatively impact their network.
Could you please shed some more light on the above?
How would ROA negatively impact if ROA(s) is created such that the entire prefix set is covered?
Just like I said, if you create an ROA for an aggregate, forgetting that you have customers using subnets of that aggregate (or didn't create ROAs for customer subnets with the right origin ASNs), you're literally telling those using RPKI to verify routes "don't accept our customers' routes." That might not be bad for "your network", but it's probably bad for someone's. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route StackPath, Sr. Neteng | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Hi, On Thu, Jun 18, 2020, at 04:01, Jon Lewis wrote:
Just like I said, if you create an ROA for an aggregate, forgetting that you have customers using subnets of that aggregate (or didn't create ROAs for customer subnets with the right origin ASNs), you're literally telling those using RPKI to verify routes "don't accept our customers' routes." That might not be bad for "your network", but it's probably bad for someone's.
That makes you a bad upstream operator, one that does things without understanding the consequences. This may still be the unfortunate norm, but it's by no means something to be considered an acceptable state. Put otherwise : if you have downstream customers that you allow to announce part of your address space in the GRT, make sure you can still provide the service after doing changes (like RPKI signing). Put in a yet another way : if you lease IP space (with or without connectivity), make sure all the additional services are included in a way or another. Those services should include RPKI signing and reverse DNS, and the strict minimum (only slightly better than not doing it at all) should be via "open a service ticket"; the more automated the better.
participants (2)
-
Jon Lewis
-
Radu-Adrian Feurdean