Hi Joe,
Great work on ROA and RPKI.
Like you said, it is recommended to create ROAs for the prefixes that you
advertise. In other words, create minimum number of ROAs to cover the exact
prefixes that you advertise to avoid “Validated Hijack”.
> On 23 May 2024, at 3:46 PM, Joseph Goldman <jos...@goldman.id.au> wrote:
>
> i.e. say we had /22 ROA, 2x /23 ROAs and 4x /24 ROAs - are currently
> advertising the /22 and 2x /24's, so 2x /23's and 2x /24 ROAs are 'unused' in
> that we are not advertising those specific resources - would that cause
> issues with strict validators out in the wild?
>
> My understanding reading through the RFC's is this should not be the case.
> If any ROA that matches the prefix for the origin AS exists it should be
> valid, regardless of other ROAs signed by the same resource holder etc.
In the given example, there will be no issue in terms of validation. The
announcements are covered by the ROAs and are valid, so they will be accepted,
doesn’t matter whether the ROA covers other prefixes or ranges that are not
visible in the global routing table.
Cheers,
Abdul Awal
_______________________________________________
AusNOG mailing list
AusNOG@lists.ausnog.net
https://lists.ausnog.net/mailman/listinfo/ausnog
