Internet2 Network Security SIG

[John Kristoff <>]

Thanks for the update, unfortunately I had to miss TechEx this year.

On Mon, 6 Jan 2020 18:17:06 +0000
Adair Thaxton <> wrote:

> * Steven Wallace described the extent to which many in our community 
> able unable to deploy RPKI due to lack of current agreement with ARIN.

We signed the LRSA for our originally allocated class B.  It happened
with nothing more than me providing a rough summary of the change and
why I thought it was no big deal for our institution to the CIO.

We have since created ROAs for all of our prefixes with the except of
an IPv6 /48 assigned to us by Internet2.  I'd exchanged a couple emails
over the past year with some Internet2 folks about being able to create
a ROA for this prefix as well, but that has stalled.  If anyone here is
listening and is still interested in helping move that forward, I would
be happy to do it.

Last month we started piloting ROV on one of our borders.  We're
currently using Routinator.  All seems well so far.  This border has
transit from HE.net and SCnet and more routes than I anticipated are
coming up invalid.  For now, just adjusting LOCAL_PREF.  Invalid routes
-10, valid +10, otherwise no change.  Eventually I plan to just drop
invalids.  We have two other exits that will be ROV-enabled with this
config later this week.

Happy to provide more detail and insight if anyone is interested.

John