Starting to Drop Invalids for Customers
Nick Hilliard
nick at foobar.org
Wed Dec 11 11:50:52 UTC 2019
Christopher Morrow wrote on 11/12/2019 03:45:
> On Tue, Dec 10, 2019 at 7:32 PM Rubens Kuhl <rubensk at gmail.com> wrote:
>> Which brings me to my favorite possible RPKI-IRR integration: a ROA
>> that says that IRR objects on IRR source x with maintainer Y are
>> authoritative for a given number resource. Kinda like SPF for BGP.
>
> Is this required? or a crutch for use until a network can publish
> all of their routing data in the RPKI?
it sounds like a great idea which is a terrible idea. Each operator
will make their own choice about what RPKI TALs to accept. Once they're
loaded up on the rpki caches, do you really want to push more complexity
down to the router control plane with and start making per-device
choices about how to handle the trust level of each individual ROA? The
internet dfz is already being killed with complexity. Configuring
per-prefix trust levels at a per-device level is nuts - and wholly
non-scalable.
If you don't want to see ROAs from a specific source, then don't import
their TAL.
Nick
More information about the NANOG
mailing list