Hello, This is Carlos from LACNIC. We are seeing the same poor RPKI data quality in our region and we share the same concerns that Alex has expressed. Currently our hosted system *does not* renew anything automatically. It will send automatic reminders when expiration times are near, but that's just about it. ROA upkeep is left to the users. The system does not prevent users from creating ROAs with expiry times 100 years in the future, although no one seems to ever change the default value of two years. The most common operational mistake we are seeing has to do with failure to create covering ROAs for BGP downstream customers while having too long maxLen values in the upstream ROAs. While I have personally contacted some of our members regarding the bad ROAs, we have so far met with limited success. Warm regards Carlos
< pedantry > btw, i don't think that ROAs per se expire. the EE cert which signs a ROA might expire, or any of the certs up-chain from the EE cert. and, if you do not use the ripe web front end, but run in a separate engine (your own or a friend's), you set your own policy on the EE cert expiry etc. of course, the kind of folk who run a separate engine tend to take care of their data. randy
participants (2)
-
Carlos Martinez-Cagnazzo -
Randy Bush