Internet2 Network Security SIG

> 
>> Should IU's ROAs include one that associates 129.79.0.0/16 with AS87
>> and a second ROA that includes 129.79.0.0/16 - 24 associated with
>> AS393676?
> 
> When a prefix is moved to the DDoS mitigation provider, can you just
> create a specific /24 (or whatever) ROA with their origin at that time?
> 
> Your suggestion above will certainly works, but there seems to be a
> consensus, not unreasonable, that "loose" ROAs are best avoided if
> possible.
> 
> John
> 

Creating a new ROA doesn’t necessarily result in a timely update to networks 
operating RPKI validators. It’s more of batch process.

I’ve also been told that unless a network is using Zenedge’s Rapid BGP 
scrubbing product, as opposed to the example I provided, Zenedge doesn’t 
announce themselves as the origin.

Steve

Attachment: smime.p7s
Description: S/MIME cryptographic signature