RFC6482 doesn't explicitly specify whether to have one ROA per prefix or vice versa. In a delegated setup, Krill aggregates ROAs whenever possible, so it's left up to your preference. https://console.rpki.co/rpki.co/repo/AS945/1/AS50058.roa.html When it comes to MICE, it's recommended to publish a ROA covering the peering LAN. This not only secures against prefix hijacking but also prevents any accidental leaking, which has happened to NL-IX for example. Per RFC6907, an AS 0 ROA serves as an attestation by a prefix holder that the prefix described in the ROA, along with any more specific prefixes, should not be used in a routing context. AS0 is better in that one can simply prepend AS53679 to deliberately hijack the prefix, which could be prevented by ASPA but that's another story, and A BGP speaker MUST NOT originate or propagate a route with an AS number of zero (RFC7606).
From: nlixannounce@simplelists.com <nlixannounce@simplelists.com> on behalf of NL-ix Support <support@nl-ix.net> Sent: Tuesday, February 22, 2022, 3:48 AM To: Support-NLix <support@nl-ix.net> Subject: [NL-ix Announce] Recent incidents in peering VLAN
Dear members,
We have recently experienced some unfortunate events on our peering VLAN due to the announcement of a more-specific prefix that is part of our /22 subnet. One of our members accidentally announced 193.239.117.0/24 to one of their upstreams, propagating this prefix to the rest of the internet. Although one would expect this prefix to be dropped early on due to IRR validation failing, it was instead widely propagated.
On 2023-06-14 2:14 a.m., Richard Laager wrote:
In the ARIN web UI, it looks like a ROA can have multiple prefixes. For an end network such as myself (Wiktel hat on), what is the best practice... one ROA per prefix, or list multiple prefixes in the same ROA?
With my MICE hat on, should MICE publish a ROA for the peering network space? The theoretical advantage would be some amount of hijacking protection. Though since it's not supposed to be announced, it probably doesn't matter much either way?
As far as I can see, there's no explicit way to say "do not announce" in a ROA. But listing something with an origin AS of "0" seems to be a thing that is done for at least one deliberately invalid ROA (CloudFlare's 103.21.244.0/23). So, if I were to create a ROA for MICE, would that be an Origin AS of 53679 or 0?
-- Best regards August Yang