My understanding is that you should publish ROAs for exactly what you want to see in the DFZ. The max-length value has some value, but it's an attack vector that must be properly managed.
In my case, we plan to advertise a /22 from each POP, so we publish a ROA with a.b.c.0/22, omitting the max-length. If I need to de-aggregate a specific prefix for any reason, I'll create a new ROA with the specific prefix. I'm tip-toe-ing around here, I'm not a RPKI pro. If someone more knowledgeable than can opine, that would be great :) Eric ________________________________ From: Aaron1 <[email protected]> Sent: Thursday, May 15, 2025 1:08 PM To: Eric C. Miller <[email protected]> Cc: [email protected] <[email protected]> Subject: Re: rpki roa irr - i now believe I too was nervous going into it. But I can say everything was seamless. I didn’t see any glitch or downtime. Interestingly, now I understand many looking glass web pages and CLI-based route servers reflect the state of RPKI… with green, yellow, valid, etc. I did my ROA entries with the actual ARIN-assigned prefix length… (e.g. /19 … /32 …etc) and then added the optional MAX length, of /24 or /48, not fully understanding the dynamic of it other than assuming it means that, I can send routes as specific as that max length and still achieve RPKI validation using said ROA entries. Someone can confirm or deny or explain if my understanding is correct about that max length setting in the ROA entries. Aaron On May 15, 2025, at 11:35 AM, Eric C. Miller <[email protected]> wrote: I second this. I used to be scared of possibly going offline during the security filter updates, but I was given the advice to first get IRR route objects behind everything already advertised and then publish ROAs. ARIN's process is pretty slick that it auto-associates new ROAs with existing IRR routes. Something to remember is that some of the larger tier providers only update their filter lists daily or bi-daily. ________________________________ From: Aaron Gould via NANOG <[email protected]> Sent: Thursday, May 15, 2025 12:26 PM To: [email protected] <[email protected]> Cc: Aaron Gould <[email protected]> Subject: rpki roa irr - i now believe ok ok, now I understand and am a believer! some of our address space was hijacked. i did the arin.net roa entries, and BAM-O... moments later, all my routes are validated and the erroneous hijacked routes are gone! love it wanted to share and emphasize to others, if you don't have your prefixes protected at your RIR (ARIN), do it. it only takes a few minutes. https://www.arin.net/resources/manage/rpki/roa_request/ https://youtu.be/cVftieOVn1M -- -Aaron _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/PRA2CQTRFDO4IOX4U6L5646ES7KIZLSL/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/4EBODXMNB3XUWYV327MQOZSSTZWBBZMY/
