2749 routes AT RISK - Re: TIMELY/IMPORTANT - Approximately 40 hours until potentially significant routing changes (re: Retirement of ARIN Non-Authenticated IRR scheduled for 4 April 2022)
Job Snijders
job at fastly.com
Mon Apr 4 22:56:37 UTC 2022
On Mon, Apr 04, 2022 at 06:35:31PM -0400, Jon Lewis wrote:
> On Tue, 5 Apr 2022, Job Snijders wrote:
> > > Are others jumping ship or planning to from ALTDB (no offense intended, and
> > > grateful for the service you've provided) and other non-auth IRRs like RADB
> > > due to networks like Tata announcing that they won't honor route objects
> > > created in non-authoratative IRR DBs after late last year and plan to ignore
> > > them entirely by late next year? i.e.
> > >
> > > From: https://lg.as6453.net/doc/cust-routing-policy.html
> > >
> > > Special note, deprecation of non-authoritative registries
> > >
> > > Please note that 'route' and 'route6' objects created after 2021-Aug-15
> > > in non-authoritative registries like RADB, NTTCOM, ALTDB and others
> > > will not work. Objects created before that date will continue to work till
> > > 2023-Aug-15. It is recommended to create RPKI ROA objects instead. In
> > > rare cases if that's not possible, 'route' and 'route6' must be created
> > > in the authoritative registry - AfriNIC, APNIC, ARIN, LACNIC, RIPE, RIPE,
> > > NIC.br or IDNIC.
> >
> > I very much appreciate Tata's efforts to strive to only use authoritive
> > data when making BGP routing decisions; however the scope of their
> > charter is of course confined to just Tata's own operations. Tata's
> > routing policies affect only Tata's customer cone.
>
> I'm (well, work is) a Tata customer. So their policy wrt which IRR's
> they'll honor objects in matters to me, and going forward, it makes no sense
> for us to create new objects in ALTDB or RADB...and those proxy
> registrations Kenneth created in ALTDB, if any of those networks are
> originated by Tata customers, I presume the new ALTDB objects won't cause
> Tata prefix-list filters to include those routes.
Right.
> I just wonder if Tata is alone leading the charge to deprecate non-auth
> IRRs, or if there are other notable networks with similar policies?
I think there clearly is an industry-wide trend to move away from
'unsigned plain-text non-authoritative' datasets, towards better sources
of truth such as the VRP data available through the RIR RPKI Trust
Anchors.
There are variances in how stakeholders implement this paradigm shift:
some operators move towards wholesale ignorance of non-auth databases
(like Tata); some operators use softer transition mechanisms (examples:
what RIPE NCC did in lieu of RIPE-731, or how IRRd v4 in its default
configuration magically makes RPKI-invalid IRR objects disappear).
I think all of us recognize a need to declaw "third party" IRR databases
like RADB and ALTDB ("declawing" meaning that it is not desirable that
anyone can just register *anything*); on the other hand our community
also has to be cognizant about there being parts of the Internet which
are not squatting on anyone's numbers *and* also are not contracted to a
specific RIR.
Kind regards,
Job
More information about the NANOG
mailing list