where was my white knight....
Nick Hilliard
nick at foobar.org
Tue Nov 8 22:19:24 UTC 2011
On 08/11/2011 21:32, Valdis.Kletnieks at vt.edu wrote:
> Anybody who puts their rpki cache someplace that isn't accessible until they
> get the rpki initialized gets what they deserve.
One solution is to have directly-connected rpki caches available to all
your bgp edge routers throughout your entire network. This may turn out to
be expensive capex-wise, and will turn out to be yet another critical
infrastructure item to maintain, increasing opex.
Alternatively, you host rpki caches on all your AS-edge routers => upgrades
- and lots of currently-sold kit will simply not handle this sort of thing
properly.
> Once you realize this, the rest of the "what do we do for routing until
> it comes up" concern trolling in the rest of that paragraph becomes
> pretty easy to sort out...
I humbly apologise for expressing concern about the wisdom of imposing a
hierarchical, higher-layer validation structure for forwarding-info
management on a pre-existing lower layer fully distributed system which is
already pretty damned complex...
What's that principle called again? Was it "Keep It Complex, Stupid"? I
can't seem to remember :-)
> Caching just enough to validate the routes you need to get to a more capable
> rpki server shouldn't have a high write life-cycle.
Lots of older flash isn't going to like this => higher implementation cost
due to upgrades.
> Heck, you could just manually
> configure a host route pointing to the rpki server...
Yep, hard coding things - good idea, that.
> And it would hardly be the first time that people have been unable to deploy
> feature XYZ because it wouldn't fit in the flash on older boxes still in
> production.
This is one of several points I'm making: there is a cost factor here, and
it's not clear how large it is.
Nick
More information about the NANOG
mailing list