nanog mailing list archives
Re: Reaching out to ARIN members about their RPKI INVALID prefixes
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Wed, 19 Sep 2018 01:07:42 -0700
On Wed, Sep 19, 2018 at 12:51 AM nusenu <nusenu-lists () riseup net> wrote:
Owen DeLong:Personally, since all RPKI accomplishes is providing a cryptographically signed notation of origin ASNs that hijackers should prepend to their announcements in order to create an aura of credibility, I think we should stop throwing resources down this rathole.regardless of how one might think about RPKI, there are ROAs out there that reduce the visibility/reachability of certain prefixes and the general assumption is that announced prefixes would like to be reachable even if the operator doesn't care about RPKI and ROAs from the past anymore, he most likely cares about reachability from a pure operational point of view.
So, a lot like dnssec ... if you enable the RPKI functions (publish roas) I think it's very much a responsibility of the publisher to provide the correct information in an on-going and stable manner. This seems bad, at first blush, but you will not always be here to offer these recalcitrant folk a pointer to how to fix themselves, and TODAY there's: "little" penalty when it comes to getting this RPKI thing wrongly... So, ideally the folk who are 'doin it wrong' can learn, get operational proceses/procedures/personnel in place and take action for the long term... right? :)
my email was not about: "How much does one like RPKI?"
sorry, 'most' emails that mention RPKI are: "how much do you like the flavor of rpki?" :)
it is about whether it is acceptable that RIRs (and more specifically ARIN in this mailing list's context) notify affected parties of their prefixes that suffer from stale ROAs.
This I still think is a bad plan.. mostly because I don't think it'll help :( I think what helps is: "Oh, I cant get to <foo> and <bar> and <most of the internet>" .... I think folk that CARE will do the right thing, folk that 'think they care' won't and will soon get disconnected from the tubez. I apologize a tad if my view that: "breaking people will force them to fix themselves" is .... rough :( Even if one dislikes RPKI entirely the opinion could still be "yes
notifying those parties makes sense to restore reachability". -- https://twitter.com/nusenu_ https://mastodon.social/@nusenu
Current thread:
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes, (continued)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Job Snijders (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Christopher Morrow (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 19)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Jared Mauch (Sep 19)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Baldur Norddahl (Sep 20)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Joe Provo (Sep 19)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Owen DeLong (Sep 18)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Christopher Morrow (Sep 19)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Job Snijders (Sep 19)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Christopher Morrow (Sep 19)
- RE: Reaching out to ARIN members about their RPKI INVALID prefixes Phil Lavin (Sep 19)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Christopher Morrow (Sep 19)
- Re: Reaching out to ARIN members about their RPKI INVALID prefixes Alex Band (Sep 19)