Reaching out to ARIN members about their RPKI INVALID prefixes

Alex Band alex at nlnetlabs.nl
Wed Sep 19 09:45:24 UTC 2018


> On 19 Sep 2018, at 10:37, Christopher Morrow <morrowc.lists at gmail.com> wrote:
> 
> 
> 
> On Wed, Sep 19, 2018 at 1:33 AM Phil Lavin <phil.lavin at cloudcall.com> wrote:
> > What about an one-off outreach effort?
> 
>> Makes sense to me. As someone who (at least pretends to) care, I was very much unaware of RPKI before seeing discussion about it on NANOG and #ix.
>> 
>> That said, having recently done this with ARIN... they've got a long way to go before it's a simple process (like RIPE). Submitting numerous tickets over a 3 day period doesn't strike me as particularly efficient. If outreach was done and widely taken up, I'd think ARIN's help desk will struggle to meet the demand. If this is the case and it's a multi-week process to get RPKI set up, it would be expected that people will give up part way through the process.
>> 
> Phil. Thanks, this is interesting input.. I expected that the system arin setup was on-par with that which ripe/apnic have setup... huh, I'm surprised that it required any tickets at all to accomplish :(

ARIN offers all of the features that the other RIRs do, but usability remains a (big) barrier. I did a talk at NANOG several years ago demonstrating how usability of the hosted RPKI system greatly impacted adoption and data quality in the RIPE region:

https://youtu.be/R2VV_APOFL8

At the time, a lot of effort went into providing a hosted RPKI system that suggested ROAs based on best practices, showed what the impact on BGP announcements was going to be and sent alerts when misconfigurations or hijacks occurred. This gives operators the confidence to use and maintain the system. As a result, the data set is now big and high quality enough for operators to start dropping invalids.

I’d be interested to hear how many operators in the ARIN region would be willing to set up ROAs (and maintain them!) if it weren’t so hard to do. This might entice ARIN to address the usability issue. Because non-repudiation or not, this process shouldn’t have to take several tickets and several days.

Be that as it may, we fully intend to build a Delegated CA that is on par with RIPE’s user experience so that operators can run RPKI themselves in a usable way.

Alex Band
NLnet Labs



More information about the NANOG mailing list