re alex's preso on how the ripe/ncc roa generation gui works, with help from geoff, the latest version of draft-ietf-sidr-origin-ops gives more detailed advice on the subject. Use of RPKI-based origin validation obviates the utility of announcing many longer prefixes when the covering prefix would do. To aid translation of ROAs into efficient search algorithms in routers, ROAs SHOULD be as precise as possible, i.e. match prefixes as announced in BGP. E.g. software and operators SHOULD avoid use of excessive max length values in ROAs unless operationally necessary. Therefore, ROA generation software MUST use the prefix length as the max length if the user does not specify a max length. Operators SHOULD be conservative in use of max length in ROAs. E.g., if a prefix will have only a few sub-prefixes announced, multiple ROAs for the specific announcements SHOULD be used as opposed to one ROA with a long max length. the third para specifically addresses the issue alex raised, thanks alex. randy
participants (1)
-
Randy Bush