Re: Understanding impact of RPKI and ROA on existing advertisements

Tue, 01 Nov 2022 09:02:25 -0700

In general, you want to create suitable ROAs for the most specific routes that will be advertised first.
Suppose you have a /20 from ARIN. You plan to take a /24 from that /20 to AWS. From what you've said, all you need is a ROA for the /24 you're taking to AWS, saying it can be originated by whatever ASN will be originating it at AWS. 


One danger with RPKI, is shooting yourself (or customers) in the foot by 
creating too general a ROA.  i.e. Suppose you have an ARIN /20.  You have 
a multihomed customer to whom you've assigned a /24 from your /20.  You 
create a ROA for the /20 saying your ASN is authorized to originate your 
/20.  Now that customer /24 has become an RPKI-invalid, and the customer 
may find that their other provider is filtering their /24 advertisement.


On Tue, 1 Nov 2022, Alex Band wrote:


Creating ROAs for *all* the announcements that are done with your prefixes, 
both on your own AS and the ones announced by AWS, is probably the best way 
forward from both a routing security and ease-of-management perspective.

-Alex


On 28 Oct 2022, at 17:00, Samuel Jackson <bobin.pub...@gmail.com> wrote:

Hello,
I am new to RPKI/ROA and still learning about RPKI. From all my reading on 
ARIN's documents I am not able to answer some of my questions.
We have a public ARIN block and advertise smaller subnets from that to our 
ISP's. We do not have any RPKI configs.
We need to setup ROA's to take another subnet from the ARIN block to AWS. 
Reading ARIN's docs, it seems I need to get setup on their Hosted RPKI service 
after which I can configure ROA's for the networks I am taking to AWS.

My question is, will this impact my existing advertisements to my ISP's. The 
current advertisements do not have ROA's.
Will having RPKI for my ARIN network, without ROA's for the existing 
advertisements impact me?

Thanks for your help.

Ref:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html
https://www.arin.net/resources/manage/rpki/roa_request/
https://www.arin.net/resources/manage/rpki/hosted/





----------------------------------------------------------------------
 Jon Lewis, MCP :)           |  I route
 StackPath, Sr. Neteng       |  therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________






















					Reply via email to