thanks, will keep in mind. Also, about ROA expirations is it possible to configure an automatic ROA extension after it's expires ?
On Tue, Oct 26, 2021 at 12:35 AM Job Snijders <j...@fastly.com> wrote: > Dear Edvinas, > > On Mon, Oct 25, 2021 at 11:49:09PM +0300, Edvinas Kairys wrote: > > We're thinking of enabling BGP ROA, because more and more ISPs are using > > strict RPKI mode. > > > > Does enabling Hosted Mode (where it doesn't requires any additional > > configuration on client end) on RPKI could for some reason could cause a > > traffic loss ? > > > > The only disasterious scenario i could think of, is if we would enable > ROA > > with incorrect sub prefixes, maximum prefix length. Am i Right ? > > I think you correctly identified most of the potential pitfalls. Another > pitfall might be when a typo in the Origin AS value slips into the RPKI > ROA. > > For example, I originate 2001:67c:208c::/48 in the DFZ from AS 15562. > Should I'd accidentally modify the covering ROA to only permit AS 15563, > the planet's connectivity towards 2001:67c:208c::/48 would become > spotty. > > So... - BEFORE - creating RPKI ROAs, I recommend setting up a BGP/RPKI > monitoring tool. NTT's excellent BGPAlerter might be useful in this > context: https://github.com/nttgin/BGPalerter > > Don't deploy things without monitoring! :-) > > Kind regards, > > Job >
