[External] Normal ARIN registration service fees for LRSA entrants after 31 Dec 2023 (was: Fwd: [arin-announce] Availability of the Legacy Fee Cap for New LRSA Entrants Ending as of 31 December 2023)

Sun Sep 18 18:42:15 UTC 2022

Since at its best, all RPKI can provide is a hint at how to properly lie about an announcement (i.e. what
you must prepend in order for it to be believed), I remain unconvinced that it provides any actual benefit
except, perhaps, to the largest and most well known ASNs as originators.

Owen

> On Sep 18, 2022, at 11:38 , Alex Band <alex at nlnetlabs.nl> wrote:
> 
> 
> 
>> On 18 Sep 2022, at 20:17, Owen DeLong via NANOG <nanog at nanog.org> wrote:
>> 
>> 
>> 
>>> On Sep 15, 2022, at 22:04 , Rubens Kuhl <rubensk at gmail.com> wrote:
>>> 
>>> On Fri, Sep 16, 2022 at 12:45 PM William Herrin <bill at herrin.us> wrote:
>>>> 
>>>> On Thu, Sep 15, 2022 at 9:09 PM Rubens Kuhl <rubensk at gmail.com> wrote:
>>>>> On Fri, Sep 16, 2022 at 11:55 AM William Herrin <bill at herrin.us> wrote:
>>>>>> No, the best option for me right now is that I just don't participate
>>>>>> in RPKI and the system has one less participant. And that's a shame.
>>>>> 
>>>>> That's only true in the current environment where RPKI is only used to
>>>>> invalidate bogus routes. When any reachability for RPKI-unknowns is
>>>>> lost, that will change.
>>>> 
>>>> Hi Rubens,
>>>> 
>>>> If you want to bet me on folks ever deciding to discard RPKI-unknowns
>>>> down in the legacy class C's I'll be happy to take your money.
>>> 
>>> I don't think people will look at even the class, and definitively not
>>> to legacy or non-legacy partitions.
>>> They will either drop it all, or not drop it at all.
>>> 
>>> Note that when the only IP blocks that spammers and abusers can inject
>>> in the system are non-signed ones, those blocks will get bad
>>> reputations pretty fast. So the legacy holders use case for RPKI might
>>> come sooner than you think.
>> 
>> Nah… Because the reputations will still be the individual /24s and while
>> lots of /24s around mine have bad reputations, mine doesn’t and never has
>> (modulo a couple of administrative errors that were on me and legitimately
>> my fault, not actual spammers).
>> 
>>> 
>>>> Anyway, the risk/reward calculation for NOT signing the LRSA right now
>>>> is really a no-brainer. It's just unfortunate that means I won't get
>>>> an early start on RPKI.
>>> 
>>> Discarding RPKI-invalids is something you can do right now and that
>>> doesn't come with a price tag. Good BCP38 and RPKI-invalid hygiene is
>>> the thankless gift you can give to the community.
>> 
>> Yes, but I think that RPKI unknowns are never going to be something that
>> can be safely dropped and 90% of RPKI invalids so far seem to be people
>> making RPKI mistakes with their legitimate announcements.
>> 
>> The more I look at RPKI, the more it looks like a lot of effort with very little
>> benefit to the community.
> 
> While I’m sure that most would agree that RPKI offers at least some benefits, perhaps the problem is the cost/benefit of doing RPKI in the ARIN region compared to the rest of the world, e.g. ticketed requests to set it up, no indication of what the effect of your ROA is going to be before you publish, handling ROA expiry manually, etc.
> 
> In other regions using RPKI is orders of magnitude simpler to set up and maintain, and a lot less error prone. They provide alerting when your ROA do not seem to match what is seen in BGP, create matching route: objects, etc.
> 
> To illustrate, here’s a video of the RIPE NCC management UI from 2015 (!):
> 
> https://youtu.be/gLwHp12wOGw <https://youtu.be/gLwHp12wOGw>
> 
> (And no, the nonrepudiation requirement in ARIN is not an excuse)
> 
> -Alex
> 
> 
>> 
>> YMMV
>> 
>> Owen

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20220918/bd145f14/attachment.html>