Re: rpki roa irr - i now believe

[Tim Burke via NANOG <nanog () lists nanog org>]

Look into your router OS of choice’s RPKI validation implementation — here’s a (somewhat dated) example for IOS-XR: 
https://archive.nanog.org/sites/default/files/Patel.pdf

Routinator from NLnet Labs (https://www.nlnetlabs.nl/projects/routing/routinator/) is a great validation 
service/proxy/etc. to deploy on your local telemetry network, and have the routers pull from.

On May 17, 2025, at 4:54 PM, Aaron1 via NANOG <nanog () lists nanog org> wrote:

It worked for me.  A portion of my address space was being advertised from an ISP in Africa… I quickly learned about 
ARIN RPKI ROA, did it, and within about 10 minutes the wrong routes was gone from looking glass/route servers and 
suddenly all my ARIN-assigned prefixes showed as “validated” and green.

I’m wondering how this works.  Do SP’s have some sort of api or bgp session with a rpki database at ARIN?  I mean this 
all must be linked to gather somehow for it to work as nicely as it did.

Aaron

On May 17, 2025, at 3:23 PM, Randy Bush via NANOG <nanog () lists nanog org> wrote:



If the goal of someone were to hijack your routing, they could
(should) announce it using your ASN and thus it would still be RPKI
valid?

ROV is not a serious security mechanism.  it also does not wash your
car.  it is meant to deter mis-originations.  it seems to work.

randy
_______________________________________________
NANOG mailing list
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/VCU3LBDGVTEFTRQ3L7SV4DWUTGBZ26V2/

_______________________________________________
NANOG mailing list
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/PA3RR4CP6ACMETPQNRZLPSMYTGUL4NVR/

_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/2ZDRONOKWDWYYBRLDGHTMN2D56QMQGUO/