Starting to Drop Invalids for Customers

• Previous message (by thread): Starting to Drop Invalids for Customers
• Next message (by thread): Starting to Drop Invalids for Customers
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ah, right. Fair. I was responding, I suppose, to Rubens' original
description, which was exactly this.

On 12/11/19 5:08 PM, Christopher Morrow wrote:
> On Wed, Dec 11, 2019 at 11:35 AM Matt Corallo <nanog at as397444.net> wrote:
>>
>> Right, but you’re also taking a strong, cryptographically-authenticated system and making it sign non-authenticated data. Please don’t do that. If you want to add the data to RPKI, there should be a way to add the data to RPKI, not sign away control of your number resources to unauthenticated sources.
>>
> 
> I don't think that's what I was saying, at all, actually.
> 
> I was saying:
>   "I assume you must have some system to create IRR data, that system
> knows: '1.0.1.0/24 ASFOO MAINT-FOOBAR'  is ok."
> 
> that system could now add '1.0.1.0/24 ASFOO' to the RPKI.
> 
> Where does that say: "make it sign unauthenticated data" ?
> 
>>> On Dec 11, 2019, at 10:17, Christopher Morrow <morrowc.lists at gmail.com> wrote:
>>>
>>> On Wed, Dec 11, 2019 at 5:52 AM Rubens Kuhl <rubensk at gmail.com> wrote:
>>>>
>>>>
>>>>>
>>>>>> Which brings me to my favorite possible RPKI-IRR integration: a ROA that says that IRR objects on IRR source x with maintainer Y are authoritative for a given number resource. Kinda like SPF for BGP.
>>>>>>
>>>>>
>>>>> Is this required? or a crutch for use until a network can publish all
>>>>> of their routing data in the RPKI?
>>>>>
>>>>
>>>> It provides an adoption path based on the information already published in IRRs by operators for some years. It also covers for the fact that RPKI currently is only origin-validation.
>>>
>>> I would think that if you(royal you) already are publishing:
>>>  "these are the routes i'm going to originate (and here are my customer lists)"
>>>
>>> and you (royal you) are accepting the effort to publish 1 'new' thing
>>> in the RPKI.
>>>
>>> you could just as easily take the 'stuff I'm going to publish in IRR'
>>> and 'also publish in RPKI'.
>>> Right? So adoption path aside, because that seems like a weird
>>> argument (since your automation to make IRR data appear can ALSO just
>>> send rpki updates), your belief is that: "Hey, this irr object is
>>> really, really me" is still useful/required/necessary/interesting?
>>>
>>> -chris
>>

• Previous message (by thread): Starting to Drop Invalids for Customers
• Next message (by thread): Starting to Drop Invalids for Customers
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]