Reaching out to ARIN members about their RPKI INVALID prefixes

Christopher Morrow morrowc.lists at gmail.com
Wed Sep 19 08:07:42 UTC 2018


On Wed, Sep 19, 2018 at 12:51 AM nusenu <nusenu-lists at riseup.net> wrote:

> Owen DeLong:
> > Personally, since all RPKI accomplishes is providing a
> > cryptographically signed notation of origin ASNs that hijackers
> > should prepend to their announcements in order to create an aura of
> > credibility, I think we should stop throwing resources down this
> > rathole.
>
> regardless of how one might think about RPKI, there are ROAs out
> there that reduce the visibility/reachability of certain prefixes and the
> general assumption is that announced prefixes would like to be reachable
> even if the operator doesn't care about RPKI and ROAs from the past
> anymore, he most likely cares
> about reachability from a pure operational point of view.
>
>
So, a lot like dnssec ... if you enable the RPKI functions (publish roas) I
think it's very much a responsibility of the publisher to provide the
correct information in an on-going and stable manner.

This seems bad, at first blush, but you will not always be here to offer
these recalcitrant folk a pointer to how to fix themselves, and TODAY
there's: "little" penalty when it comes to getting this RPKI thing
wrongly... So, ideally the folk who are 'doin it wrong' can learn, get
operational proceses/procedures/personnel in place and take action for the
long term... right? :)


> my email was not about: "How much does one like RPKI?"
>

sorry, 'most' emails that mention RPKI are: "how much do you like the
flavor of rpki?" :)


> it is about whether it is acceptable that RIRs (and more specifically ARIN
> in this mailing list's context)
> notify affected parties of their prefixes that suffer from stale ROAs.
>

This I still think is a bad plan.. mostly because I don't think it'll help
:(
I think what helps is: "Oh, I cant get to <foo> and <bar> and <most of the
internet>" .... I think folk that CARE will do the right thing, folk that
'think they care' won't and will soon get disconnected from the tubez.

I apologize a tad if my view that: "breaking people will force them to fix
themselves" is .... rough :(

Even if one dislikes RPKI entirely the opinion could still be "yes
> notifying those parties makes sense
> to restore reachability".
>
>
> --
> https://twitter.com/nusenu_
> https://mastodon.social/@nusenu
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20180919/686876c0/attachment.html>


More information about the NANOG mailing list