Internet2 Network Security SIG

[William T Johnson <>]

Agree, though it probably wouldn’t be a complete loss of connectivity for the 
/20 entity, so long as they have connectivity to the regional network and the 
regional network didn’t flag their downstream customer’s prefix as invalid 
(via rpki-validator).

The regional network should create the ROA for the /20 and/or any longer 
prefixes that the regional network member may originate.

Tom

-=-=-=-=-=-=-=-=-=-=-=-=-=-
William (Tom) Johnson
I-Light and Indiana Gigapop

-=-=-=-=-=-=-=-=-=-=-=-=-=-



> On Sep 10, 2019, at 11:07 AM, Steven Wallace <> wrote:
> 
> A prefix owner (direct ARIN registrant) is responsible for any ROAs needed 
> by prefixes they subdelegate..
>  
> For example, if a regional network owns a /16, and subdelegates /20s to its 
> customers, the regional network must create any needed ROAs for the /20s.
>  
> For example: If the regional network creates a ROA for its /16, but not for 
> the /20s, the /20 announcements may be flagged as invalid, since they can 
> appear as hijack attempts. This can result in the /20 route being withdrawn 
> from backbone providers. In some cases, the remaining /16 route will ensure 
> the packets find their destination, however there are scenarios, such as 
> when the /20 is multi-homed, where the result will be loss of full 
> connectivity for the /20 user.
>  
> Comments? Thoughts?
>  
> Steve

Attachment: smime.p7s
Description: S/MIME cryptographic signature