Reaching out to ARIN members about their RPKI INVALID prefixes

Owen DeLong owen at delong.com
Thu Sep 20 01:02:27 UTC 2018


> On Sep 19, 2018, at 00:46 , nusenu <nusenu-lists at riseup.net> wrote:
> 
> Owen DeLong:
>> Personally, since all RPKI accomplishes is providing a
>> cryptographically signed notation of origin ASNs that hijackers
>> should prepend to their announcements in order to create an aura of
>> credibility, I think we should stop throwing resources down this
>> rathole.
> 
> regardless of how one might think about RPKI, there are ROAs out 
> there that reduce the visibility/reachability of certain prefixes and the 
> general assumption is that announced prefixes would like to be reachable
> even if the operator doesn't care about RPKI and ROAs from the past anymore, he most likely cares
> about reachability from a pure operational point of view.

Yep… And the easy recipe for one which doesn’t care about RPKI to restore reachability is “delete the ROAs”.

> my email was not about: "How much does one like RPKI?”

I have no impression that it was.

I thought it was about “Should we consume more RIR resources dealing with this additional pain likely to be caused by RPKI?”

> it is about whether it is acceptable that RIRs (and more specifically ARIN in this mailing list's context) 
> notify affected parties of their prefixes that suffer from stale ROAs.

I agree with Mr. Morrow that this would end in pain.

> Even if one dislikes RPKI entirely the opinion could still be "yes notifying those parties makes sense
> to restore reachability”.

Agreed. However, whether I liked RPKI or not, I’d still say that notification by the RIRs is prone
to sadness. My initial intent was merely to state that I prefer the RIRs not waste additional
resources on this, including notification.

Owen



More information about the NANOG mailing list