On Wed, 17 Jun 2020, Richa wrote:
Job,
RPKI ROA creation is a big hammer. Everyone needs to think carefully
about each ROA they create and if it will positively or negatively
impact their network.
Could you please shed some more light on the above?
How would ROA negatively impact if ROA(s) is created such that the entire
prefix set is covered?
Just like I said, if you create an ROA for an aggregate, forgetting that
you have customers using subnets of that aggregate (or didn't create ROAs
for customer subnets with the right origin ASNs), you're literally telling
those using RPKI to verify routes "don't accept our customers' routes."
That might not be bad for "your network", but it's probably bad for
someone's.
----------------------------------------------------------------------
Jon Lewis, MCP :) | I route
StackPath, Sr. Neteng | therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
