Re: Reaching out to ARIN members about their RPKI INVALID prefixes

[Owen DeLong <owen () delong com>]

> On Sep 18, 2018, at 2:15 PM, Christopher Morrow <morrowc.lists () gmail com> wrote:
>
>
>
> On Tue, Sep 18, 2018 at 1:33 PM nusenu <nusenu-lists () riseup net <mailto:nusenu-lists () riseup net>> wrote:
> Christopher Morrow wrote:
> > Perhaps this was answered elsewhere, but: "Why is this something
> > ARIN (the org) should take on?"
>
> Thanks for this question, I believe this is an important one.
>
> I reasoned about why I think RIRs are in a good position to send these emails here: [1]
> but I will quote from it for convenience:
>
> > Notifying affected IP Holders
> >
> > The natural next step (and that was our initial intention when
> > looking at INVALIDs) would be to send out emails to affected IP
> > holders and ask them to address the INVALIDs but although that could
> > be automated, we believe the impact would be better, if that email
> > came from some trusted entity like the RIR relevant to the affected
> > IP holder instead of a random entity they never had any contact
> > before (us).
> >
> > Asking RIRs to reach out to their members also scales better since
> > every RIR would only have to take care of their own members.
> [...]
>
>
> i don't know that the contacts the RIR has for the entity is necessarily the one that controls/deals-with the RPKI 
> data though.

It sort of has to be, as managing your RPKI data (at least in the ARIN region) involves doing it through your ARIN 
On-Line account which must be associated with the ORG associated with the resources in question.

> I also think that generally if folk set all that up they probably know (or will soon enough) that they have a mistake.

You overestimate some things here.

> Generally speaking, I think "folk should fix themselves, and maintain/monitor their configuration", that ARIN (or 
> anyone else sending 'unsolicited email') here is going to end badly in the worst case and 'not have any effect' in 
> the majority of cases.

Agreed.

>  
> [1] https://medium.com/@nusenu/towards-cleaning-up-rpki-invalids-d69b03ab8a8c 
> <https://medium.com/@nusenu/towards-cleaning-up-rpki-invalids-d69b03ab8a8c>
>
>
> > Why can't (or why isn't) this something that 'many' 
> > monitoring/alerting companies/orgs are offering?
>
> There are companies offering BGP monitoring including RPKI ROAs, but
> the affected IP holders are unlikely customers of those monitoring
> services or generally aware of the problem.
>
>
> ok, maybe they should though? :) 

I love a good tautology.

>  
> > it's unclear, to me, why ARIN is in any better position than any
> > other party to perform this sort of activity? I would expect that, at
> > the base level, "I just got random/unexpected email from ARIN?" will
> > get dropped in the spam-can, while: "My monitoring company to which I
> > signed up/contracted emailed into my ticket-system for action..
> > better go do something!" is the path to incentivize.
>
> The problem is how do you make operators aware of the problem in the first place.
>
>
> ideally they are aware of thier own config, have a person(s) responsible for managing that configuration and care 
> about reachability...  if they don't have that today, they will soon enough.

Optimist!

Owen