Towards an RPKI-rich Internet (and the appropriate allocation of responsibility in the event an RIR RPKI CA outage)
jcurran at arin.net
Mon Oct 1 08:26:08 UTC 2018
On 1 Oct 2018, at 12:47 AM, Alex Band <alex at nlnetlabs.nl> wrote:
> To avoid any misunderstanding in this discussion going forward, I would like to reiterate that an RPKI ROA is a positive attestation. An unavailable, expired or invalid ROA will result in a BGP announcement with the status NotFound. The announcement will *not* become INVALID, thereby being dropped.
> Please read Section 5 of RFC 7115 that John linked carefully:
> Thus, a continued outage of an RPKI CA (or publication server) will result in announcements with status NotFound. This means that the prefixes held by this CA will no longer benefit from protection by the RPKI. However, since only *invalid* announcements should be dropped, this should not lead to large scale outages in routing.
Yes – ISPs who have configured RPKI route validation and are using it to preference routes should continue to utilize routes that are have NotFound status due to lack of RPKI repository data. As RFC 7115 notes -
" Hence, an operator's policy should not be
overly strict and should prefer Valid announcements; it should attach
a lower preference to, but still use, NotFound announcements, and
drop or give a very low preference to Invalid announcements. "
Of course, this presumes correct routing configuration by the ISP when setting up RPKI route validation; while one would hope that the vast majority handle this situation correctly, there is no assurance that will be true without exception. If RPKI routing validation is widely deployed, tens of thousands of ISPs will be setting up such a configuration, with customer impact during an RPKI CA outage occurring for those who somehow failure to fall back to using NotFound routes. If only a small percentage get this wrong, it will still represent dozens of ISPs going dark as a result.
> It is important to be aware of the impact of such an outage when considering questions of liability.
Indeed… Hence the question of liability during a RIR CA outage, should the liability for misconfigured ISPs (those handful of ISPs who do not properly fall back to using state NotFound routes) be the responsibility of each ISP, or perhaps those who announce ROAs, or should be with the RIR?
President and CEO
More information about the NANOG