What is the meaning of the term origin AS mismatch and how do you resolve it?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Master RIPE BGP Security with our comprehensive test. Understand the Border Gateway Protocol, explore multiple choice questions, and get ready for your exam with detailed hints and explanations.

Multiple Choice

What is the meaning of the term origin AS mismatch and how do you resolve it?

Explanation:
Origin AS mismatch occurs when the AS that originates the prefix in a BGP UPDATE does not match the AS authorized to originate that prefix according to the ROA. The ROA (Route Origin Authorization) is part of the RPKI and specifies which AS is allowed to originate a given prefix. When a route is advertised with an origin AS that isn’t listed in the ROA for that prefix, validators flag the route as invalid or suspicious, and many networks will drop or deprioritize such routes to prevent hijacks. So the best way to resolve it is to align the announcement with the ROA. Update the ROA to authorize the actual origin AS for that prefix if the business relationship or routing configuration is legitimate. Alternatively, implement filtering policies to reject routes with invalid ROA origins or adjust network design so that the correct AS is the origin for that prefix. This helps ensure only authorized origins are accepted, reducing the risk of misconfigurations or malicious hijacks. Why the other possibilities don’t fit: a match in the ROA means no mismatch, which isn’t the issue being described; an expired ROA would cause broader validity problems but isn’t specifically about an origin mismatch, and a neighbor AS mismatch is a different concept unrelated to ROA-based origin validation.

Origin AS mismatch occurs when the AS that originates the prefix in a BGP UPDATE does not match the AS authorized to originate that prefix according to the ROA. The ROA (Route Origin Authorization) is part of the RPKI and specifies which AS is allowed to originate a given prefix. When a route is advertised with an origin AS that isn’t listed in the ROA for that prefix, validators flag the route as invalid or suspicious, and many networks will drop or deprioritize such routes to prevent hijacks.

So the best way to resolve it is to align the announcement with the ROA. Update the ROA to authorize the actual origin AS for that prefix if the business relationship or routing configuration is legitimate. Alternatively, implement filtering policies to reject routes with invalid ROA origins or adjust network design so that the correct AS is the origin for that prefix. This helps ensure only authorized origins are accepted, reducing the risk of misconfigurations or malicious hijacks.

Why the other possibilities don’t fit: a match in the ROA means no mismatch, which isn’t the issue being described; an expired ROA would cause broader validity problems but isn’t specifically about an origin mismatch, and a neighbor AS mismatch is a different concept unrelated to ROA-based origin validation.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy