Hello all ~
Have others considered using RPKI AS0 ROAs? Have other implemented AS0 ROAs? What was your experience, what are your concerns?
We have ROAs for most of our space today. But, one of the biggest issues is if you have millions of v4 IP’s, we can’t just create AS0 ROAs at the supernet level and expect no issues. We understand that some of our prefixes are UNKNOWN today, and working with ~90K employees, it’s difficult to determine if they truly need their allocated space announced to the Inet.
As an example, let’s say we have a /16 that we announce, it’s UNKNOWN status (sadly this does happen), and there are several subnets under it in our backbone that automatically get the benefit of the /16 reaching the Inet. Should the /16 go away due to creating an AS0 supernet ROA, then these subnets will no longer have connectivity. The difficult thing to determine is do they need Inet connectivity, and if so, why are they not announcing their block with BGP tagging to be announced to the Inet from our BB.
As we have potentially hundreds of verticals, tracking down the team that will tell us this can be a nightmare. This particular issue may be unique to my organization as mergers and personnel changes have left inconsistencies, but this is the type of issues I was looking to see if others have considered, and are there others that are of concern?
On the happy news of RPKI ROAs, ARIN has significantly updated their RPKI ROA Hosted services, makes it much easier for little guys to create ROAs, including removing the need for your own public/private key. See the full list: [arin-announce] Upcoming Changes to ARIN’s Resource Public Key Infrastructure (RPKI)