> > So while I will continue pushing for the rest of the world to create > ROA's, turn on RPKI and enable ROV, I'll also advocate that operators > continue to have both AS- and prefix-based filters. Not either/or, but > both. Also, max-prefix as a matter of course. >
This is the correct approach. We are a very long way from being able to flip the switch to say "everyone drop any RPKI UNKNOWN" , so in the meantime best practices for non-ROA covered prefixes still have to be done. On Fri, Jul 31, 2020 at 9:35 AM Mark Tinka <mark.ti...@seacom.com> wrote: > > > On 31/Jul/20 03:57, Aftab Siddiqui wrote: > > Not a single prefix was signed, what I saw. May be good reason for > > Rogers, Charter, TWC etc to do that now. It would have stopped the > > propagation at Telia. > > While I am a huge proponent for ROA's and ROV, it is a massive > expectation to req filtering to work on the basis of all BGP > participants creating their ROA's. It's what I would like, but there is > always going to be a lag on this one. > > If none of the prefixes had a ROA, no amount of Telia's shiny new "we > drop invalids" machine would have helped, as we saw with this incident. > ROV really only comes into its own when the majority of the Internet has > correct ROA's setup. In the absence of that, it's a powerful but > toothless feature. > > So while I will continue pushing for the rest of the world to create > ROA's, turn on RPKI and enable ROV, I'll also advocate that operators > continue to have both AS- and prefix-based filters. Not either/or, but > both. Also, max-prefix as a matter of course. > > Mark. >