nanog mailing list archives
Re: Understanding impact of RPKI and ROA on existing advertisements
From: Jon Lewis <jlewis () lewis org>
Date: Tue, 1 Nov 2022 12:01:46 -0400 (EDT)
In general, you want to create suitable ROAs for the most specific routes that will be advertised first.
Suppose you have a /20 from ARIN. You plan to take a /24 from that /20 to AWS. From what you've said, all you need is a ROA for the /24 you're taking to AWS, saying it can be originated by whatever ASN will be originating it at AWS.
One danger with RPKI, is shooting yourself (or customers) in the foot by creating too general a ROA. i.e. Suppose you have an ARIN /20. You have a multihomed customer to whom you've assigned a /24 from your /20. You create a ROA for the /20 saying your ASN is authorized to originate your /20. Now that customer /24 has become an RPKI-invalid, and the customer may find that their other provider is filtering their /24 advertisement.
On Tue, 1 Nov 2022, Alex Band wrote:
Creating ROAs for *all* the announcements that are done with your prefixes, both on your own AS and the ones announced by AWS, is probably the best way forward from both a routing security and ease-of-management perspective. -AlexOn 28 Oct 2022, at 17:00, Samuel Jackson <bobin.public () gmail com> wrote: Hello, I am new to RPKI/ROA and still learning about RPKI. From all my reading on ARIN's documents I am not able to answer some of my questions. We have a public ARIN block and advertise smaller subnets from that to our ISP's. We do not have any RPKI configs. We need to setup ROA's to take another subnet from the ARIN block to AWS. Reading ARIN's docs, it seems I need to get setup on their Hosted RPKI service after which I can configure ROA's for the networks I am taking to AWS. My question is, will this impact my existing advertisements to my ISP's. The current advertisements do not have ROA's. Will having RPKI for my ARIN network, without ROA's for the existing advertisements impact me? Thanks for your help. Ref: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html https://www.arin.net/resources/manage/rpki/roa_request/ https://www.arin.net/resources/manage/rpki/hosted/
---------------------------------------------------------------------- Jon Lewis, MCP :) | I route StackPath, Sr. Neteng | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Current thread:
- Understanding impact of RPKI and ROA on existing advertisements Samuel Jackson (Nov 01)
- RE: Understanding impact of RPKI and ROA on existing advertisements Kevin Burke (Nov 01)
- Re: Understanding impact of RPKI and ROA on existing advertisements Alex Band (Nov 01)
- Re: Understanding impact of RPKI and ROA on existing advertisements Jon Lewis (Nov 01)
- Re: Understanding impact of RPKI and ROA on existing advertisements heasley (Nov 01)
- Re: Understanding impact of RPKI and ROA on existing advertisements Samuel Jackson (Nov 01)
- Re: Understanding impact of RPKI and ROA on existing advertisements Randy Bush (Nov 01)
- Re: Understanding impact of RPKI and ROA on existing advertisements Josh Luthman (Nov 02)
- Re: Understanding impact of RPKI and ROA on existing advertisements Jon Lewis (Nov 01)
- Re: Understanding impact of RPKI and ROA on existing advertisements heasley (Nov 02)
- Re: Understanding impact of RPKI and ROA on existing advertisements Owen DeLong via NANOG (Nov 02)
- Re: Understanding impact of RPKI and ROA on existing advertisements jim deleskie (Nov 02)
- <Possible follow-ups>
- RE: Understanding impact of RPKI and ROA on existing advertisements Jakob Heitz (jheitz) via NANOG (Nov 03)