Thus spake Edvinas Kairys (edvinas.em...@gmail.com) on Tue, Oct 26, 2021 at 10:11:14AM +0300: > > Also, about ROA expirations is it possible to configure an automatic ROA > extension after it's expires ?
Well, you probably hit one of the next biggest operational issues, so congrats ;-). If you are in the ARIN region you might want to track the process for ACSP Suggestion 2021.15 https://www.arin.net/participate/community/acsp/suggestions/2021/2021-15/ If you are in another regions you can see the differences here: https://rpki.readthedocs.io/en/latest/rpki/implementation-models.html?highlight=renew#functional-differences-across-rirs Dale > On Tue, Oct 26, 2021 at 12:35 AM Job Snijders <j...@fastly.com> wrote: > > > Dear Edvinas, > > > > On Mon, Oct 25, 2021 at 11:49:09PM +0300, Edvinas Kairys wrote: > > > We're thinking of enabling BGP ROA, because more and more ISPs are using > > > strict RPKI mode. > > > > > > Does enabling Hosted Mode (where it doesn't requires any additional > > > configuration on client end) on RPKI could for some reason could cause a > > > traffic loss ? > > > > > > The only disasterious scenario i could think of, is if we would enable > > ROA > > > with incorrect sub prefixes, maximum prefix length. Am i Right ? > > > > I think you correctly identified most of the potential pitfalls. Another > > pitfall might be when a typo in the Origin AS value slips into the RPKI > > ROA. > > > > For example, I originate 2001:67c:208c::/48 in the DFZ from AS 15562. > > Should I'd accidentally modify the covering ROA to only permit AS 15563, > > the planet's connectivity towards 2001:67c:208c::/48 would become > > spotty. > > > > So... - BEFORE - creating RPKI ROAs, I recommend setting up a BGP/RPKI > > monitoring tool. NTT's excellent BGPAlerter might be useful in this > > context: https://github.com/nttgin/BGPalerter > > > > Don't deploy things without monitoring! :-) > > > > Kind regards, > > > > Job > >
