Hi everyone, We recently setup a new rack at a datacenter in Greece with a BGP transit (a blend of Level3, Cogent & PCCW) from them. Everything runs smoothly but we entered a conflict when we tried to blackhole an IP using their blackhole community while implementing fastnetmon. Apparently they suggest that in order for them to accept my /32 announcement (using their blackhole community), it needs to have a ROA in order to be RPKI valid. Otherwise they reject it (which is why ours tests failed). So I never had this before with other ISPs, and it got me baffled. Obviously having to log into my RPKI dashboard, add a ROA, wait till it propagates in order to be able to blackhole an IP is time consuming and of course counterproductive. To this, they suggested I can contact their support if I need to have an IP blackholed faster… Why do they offer a blackhole community in the first place then? Anyway, I provided my objections but obviously it’s their network they can run it however they want. Yesterday they contacted me again, and told me I can create a second ROA for each of my prefixes I announce via them, but with a /32 maxLegth, which would validate my /32 announcements. Again, I never had to do that in the past with other datacenters, nor have I ever heard of this so I looked it up. Looks like Job Snijders clearly states that this should be avoided (1st recommendation): https://mail.lacnic.net/pipermail/lacnog/2019-May/007058.html So here I am, asking the community for their input on this matter. - What do you think about their suggestion to add a second ROA with maxLength value of /32 – what are the implication? Any other info/help will be greatly appreciated.
|
smime.p7s
Description: S/MIME cryptographic signature
