ARIN RPKI TAL deployment issues
michel.py at tsisemi.com
Wed Sep 26 01:20:43 UTC 2018
> Jared Mauch wrote :
> Saying “nobody validates their prefixes” is patently false. You may not. I may not, but there are a number of networks that are and have advertised that they are.
I did validate mine, but in the ARIN region I'm part of the only 2% that did, that's close enough to "nobody" for me, in context compared to RIPE numbers.
> Michel, It would be a shame if you created a ROA and it could not be validated in some non-english speaking corner of the world that
> put your assets at risk due to this posture. The community needs secure by default for all regions and the barriers for ARIN IP space
> are a real and measured problem. It’s time to end this disparity as right now not all TALs are equal. They should be.
I agree, but it's not that simple.
The main issue I currently see with RPKI / ROA is not the ARIN TAL (altough I am directly affected) but the fact that nobody or almost nobody actually enforces RPKI. Most operators who are validating RPKI prefixes keep carrying them even when they are invalid, which makes the entire thing completely useless.
And yes I know, it's not that simple ;-)
And it may be shameless self-plugin, but I think we need to encourage experiments that actually try to enforce RPKI.
TSI Disclaimer: This message and any files or text attached to it are intended only for the recipients named above and contain information that may be confidential or privileged. If you are not the intended recipient, you must not forward, copy, use or otherwise disclose this communication or the information contained herein. In the event you have received this message in error, please notify the sender immediately by replying to this message, and then delete all copies of it from your system. Thank you!...
More information about the NANOG