Dear Edvinas, On Mon, Oct 25, 2021 at 11:49:09PM +0300, Edvinas Kairys wrote: > We're thinking of enabling BGP ROA, because more and more ISPs are using > strict RPKI mode. > > Does enabling Hosted Mode (where it doesn't requires any additional > configuration on client end) on RPKI could for some reason could cause a > traffic loss ? > > The only disasterious scenario i could think of, is if we would enable ROA > with incorrect sub prefixes, maximum prefix length. Am i Right ?
I think you correctly identified most of the potential pitfalls. Another pitfall might be when a typo in the Origin AS value slips into the RPKI ROA. For example, I originate 2001:67c:208c::/48 in the DFZ from AS 15562. Should I'd accidentally modify the covering ROA to only permit AS 15563, the planet's connectivity towards 2001:67c:208c::/48 would become spotty. So... - BEFORE - creating RPKI ROAs, I recommend setting up a BGP/RPKI monitoring tool. NTT's excellent BGPAlerter might be useful in this context: https://github.com/nttgin/BGPalerter Don't deploy things without monitoring! :-) Kind regards, Job