nanog mailing list archives

Re: rpki roa irr - i now believe

From: Aaron1 via NANOG <nanog () lists nanog org>
Date: Thu, 15 May 2025 12:08:11 -0500

I too was nervous going into it.  But I can say everything was seamless.  I didn’t see any glitch or downtime.  
Interestingly, now I understand many looking glass web pages and CLI-based route servers reflect the state of RPKI… 
with green, yellow, valid, etc.

I did my ROA entries with the actual ARIN-assigned prefix length… (e.g. /19 … /32 …etc) and then added the optional MAX 
length, of /24 or /48, not fully understanding the dynamic of it other than assuming it means that, I can send routes 
as specific as that max length and still achieve RPKI validation using said ROA entries.  Someone can confirm or deny 
or explain if my understanding is correct about that max length setting in the ROA entries.

Aaron

On May 15, 2025, at 11:35 AM, Eric C. Miller <eric () ericheather com> wrote:


I second this.  I used to be scared of possibly going offline during the security filter updates, but I was given the 
advice to first get IRR route objects behind everything already advertised and then publish ROAs. ARIN's process is 
pretty slick that it auto-associates new ROAs with existing IRR routes.

Something to remember is that some of the larger tier providers only update their filter lists daily or bi-daily.
From: Aaron Gould via NANOG <nanog () lists nanog org>
Sent: Thursday, May 15, 2025 12:26 PM
To: nanog () lists nanog org <nanog () lists nanog org>
Cc: Aaron Gould <aaron1 () gvtc com>
Subject: rpki roa irr - i now believe
 
ok ok, now I understand and am a believer!

some of our address space was hijacked.  i did the arin.net roa entries,
and BAM-O... moments later, all my routes are validated and the
erroneous hijacked routes are gone!

love it

wanted to share and emphasize to others, if you don't have your prefixes
protected at your RIR (ARIN), do it.  it only takes a few minutes.

https://www.arin.net/resources/manage/rpki/roa_request/

https://youtu.be/cVftieOVn1M

--
-Aaron

_______________________________________________
NANOG mailing list
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/PRA2CQTRFDO4IOX4U6L5646ES7KIZLSL/

_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/LFBYT5TZRHOTS3X7OLAZUMAIU6O2XHHO/

Current thread:

rpki roa irr - i now believe Aaron Gould via NANOG (May 15)
- Re: rpki roa irr - i now believe Eric C. Miller via NANOG (May 15)
  - Re: rpki roa irr - i now believe Aaron1 via NANOG (May 15)
    - Re: rpki roa irr - i now believe Eric C. Miller via NANOG (May 15)
    - Re: rpki roa irr - i now believe Elmar K. Bins via NANOG (May 15)
- Re: rpki roa irr - i now believe Laszlo H via NANOG (May 15)
  - Re: rpki roa irr - i now believe Eric C. Miller via NANOG (May 15)
  - Re: rpki roa irr - i now believe Job Snijders via NANOG (May 15)
  - Re: rpki roa irr - i now believe Randy Bush via NANOG (May 17)
    - Re: rpki roa irr - i now believe Aaron1 via NANOG (May 17)
    - Re: rpki roa irr - i now believe Randy Bush via NANOG (May 17)
    - Re: rpki roa irr - i now believe Aaron1 via NANOG (May 17)
    - Re: rpki roa irr - i now believe Tim Burke via NANOG (May 17)

(Thread continues...)