Hi Randy awesome, that's what i wanted to know/confirm. I'm the originator.
Thanks On Wed, 30 Sep 2020 at 01:18, Randy Cassidy <[email protected]> wrote: > Hi Alex, > > The ROA is something you create/sign via your regional registry (APNIC in > your case, ARIN for me). There's nothing you configure on your own routers > as far as announcing your (signed or unsigned) prefixes to your Transit > providers. The ROA basically says "it is valid for the following AS number > to *originate *the announcement of the following > (IP/prefix_length/max_prefix_length) list. Networks that implement RPKI > use "out of band" mechanisms to perform the validation of the routes they > receive via BGP. > > For example, if you owned 10.11.0.0/16, and your AS number was 65432, > your ROA might say "65432 is allowed to announce 10.11.0.0/16". You must > also specify the "max prefix length". I'm fuzzy on this, but I believe the > reason is to prevent other networks from accidentally leaking internally > dis-aggregated blocks of your routes to the outside world. Since "longer > prefix wins", they could accidentally (or intentionally) force all your > inbound traffic to flow through them. So if you know that you'll never > announce blocks of your /16 IP space with a prefix length greater than /20, > you'd specify 20 as the max prefix length in your ROA. If some other > network has internally split you down into /24's, and then leaked those, > any other networks that have implemented route origin validation would > reject them, as they're more specific than you allow. > > This is for ARIN, but the fields in each ROA should be the same for APNIC. > https://www.arin.net/resources/manage/rpki/roa_request/ > > I hope that explanation helps! > > Randy > > On Tue, Sep 29, 2020 at 10:16 AM Alex Samad <[email protected]> wrote: > >> Hi >> >> I'll answer the last. >> >> So if I am the origin and I use multiple transit providers. Don't I have >> to sign mine. So I get i have to go to myapnic and setup a ROA. but don't >> i have to sign my prefix (sorry, i'm new to this), before send this up >> stream. Isn't the verification done by checking the signatures of all of >> the AS. >> >> >> ROS 7 - yes buggy a ... been waiting for multhread bgp for ...... I >> like the platform, but i have given up on them.. >> >> Thanks for all of the replies >> >> >> On Tue, 29 Sep 2020 at 19:28, Aftab Siddiqui <[email protected]> >> wrote: >> >>> Hi Alex, >>> If you are not doing ROV (Route Origin Validation) then you don't have >>> to do anything on your end. Great to hear that Exetel is planning to do >>> validation but that means you have to create ROAs (Route Origin >>> Authorization) on myapnic portal, if you don't have them already. >>> >>> Regards, >>> >>> Aftab A. Siddiqui >>> >>> >>> On Tue, 29 Sep 2020 at 18:46, Alex Samad <[email protected]> wrote: >>> >>>> Hi >>>> >>>> Wondering how prevalent is RPKI in transit providers in Oz. Just got an >>>> email from exetel to say they are starting a rollout of it. >>>> >>>> Seems like my ROS routers don't have it, seems like they have been >>>> talking about back in 2014, still waiting on that feature to be added. >>>> >>>> Curious if all of my transit providers are going to come knocking and >>>> asking for me to turn this on ? >>>> >>>> Plus some quick googling seems to suggest its currently flawed.. >>>> >>>> Thanks >>>> Alex >>>> _______________________________________________ >>>> AusNOG mailing list >>>> [email protected] >>>> http://lists.ausnog.net/mailman/listinfo/ausnog >>>> >>> _______________________________________________ >> AusNOG mailing list >> [email protected] >> http://lists.ausnog.net/mailman/listinfo/ausnog >> >
_______________________________________________ AusNOG mailing list [email protected] http://lists.ausnog.net/mailman/listinfo/ausnog
