Look into your router OS of choice’s RPKI validation implementation — here’s a (somewhat dated) example for IOS-XR: https://archive.nanog.org/sites/default/files/Patel.pdf
Routinator from NLnet Labs (https://www.nlnetlabs.nl/projects/routing/routinator/) is a great validation service/proxy/etc. to deploy on your local telemetry network, and have the routers pull from. On May 17, 2025, at 4:54 PM, Aaron1 via NANOG <[email protected]> wrote: It worked for me. A portion of my address space was being advertised from an ISP in Africa… I quickly learned about ARIN RPKI ROA, did it, and within about 10 minutes the wrong routes was gone from looking glass/route servers and suddenly all my ARIN-assigned prefixes showed as “validated” and green. I’m wondering how this works. Do SP’s have some sort of api or bgp session with a rpki database at ARIN? I mean this all must be linked to gather somehow for it to work as nicely as it did. Aaron On May 17, 2025, at 3:23 PM, Randy Bush via NANOG <[email protected]> wrote: If the goal of someone were to hijack your routing, they could (should) announce it using your ASN and thus it would still be RPKI valid? ROV is not a serious security mechanism. it also does not wash your car. it is meant to deter mis-originations. it seems to work. randy _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/VCU3LBDGVTEFTRQ3L7SV4DWUTGBZ26V2/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/PA3RR4CP6ACMETPQNRZLPSMYTGUL4NVR/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/2ZDRONOKWDWYYBRLDGHTMN2D56QMQGUO/
