[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Reaching out to ARIN members about their RPKI INVALID prefixes

Christopher Morrow wrote:
> Perhaps this was answered elsewhere, but: "Why is this something
> ARIN (the org) should take on?"

Thanks for this question, I believe this is an important one.

I reasoned about why I think RIRs are in a good position to send these emails here: [1]
but I will quote from it for convenience:

> Notifying affected IP Holders
> The natural next step (and that was our initial intention when
> looking at INVALIDs) would be to send out emails to affected IP
> holders and ask them to address the INVALIDs but although that could
> be automated, we believe the impact would be better, if that email
> came from some trusted entity like the RIR relevant to the affected
> IP holder instead of a random entity they never had any contact
> before (us).
> Asking RIRs to reach out to their members also scales better since
> every RIR would only have to take care of their own members.

[1] https://medium.com/@nusenu/towards-cleaning-up-rpki-invalids-d69b03ab8a8c

> Why can't (or why isn't) this something that 'many' 
> monitoring/alerting companies/orgs are offering?

There are companies offering BGP monitoring including RPKI ROAs, but
the affected IP holders are unlikely customers of those monitoring
services or generally aware of the problem.

> it's unclear, to me, why ARIN is in any better position than any
> other party to perform this sort of activity? I would expect that, at
> the base level, "I just got random/unexpected email from ARIN?" will
> get dropped in the spam-can, while: "My monitoring company to which I
> signed up/contracted emailed into my ticket-system for action..
> better go do something!" is the path to incentivize.

The problem is how do you make operators aware of the problem in the first place.

> The question I asked ARIN was specifically:
>>> Would you be open to reach out to your affected members to
>>> inform them about their affected IP prefixes?
> 'how?' (email to the tech-contact? etc? did they sign up for said 
> monitoring and point to the right destination email catcher?)

Yes that is what I had in mind (notification via email to the tech contact).

kind regards,


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20180918/23890de3/attachment.sig>