[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Starting to Drop Invalids for Customers



Christopher Morrow wrote on 11/12/2019 03:45:
> On Tue, Dec 10, 2019 at 7:32 PM Rubens Kuhl <rubensk at gmail.com> wrote:
>> Which brings me to my favorite possible RPKI-IRR integration: a ROA
>> that says that IRR objects on IRR source x with maintainer Y are
>> authoritative for a given number resource. Kinda like SPF for BGP.
> 
> Is this required? or a crutch for use until a network can publish
> all of their routing data in the RPKI?

it sounds like a great idea which is a terrible idea.  Each operator 
will make their own choice about what RPKI TALs to accept.  Once they're 
loaded up on the rpki caches, do you really want to push more complexity 
down to the router control plane with and start making per-device 
choices about how to handle the trust level of each individual ROA?  The 
internet dfz is already being killed with complexity.  Configuring 
per-prefix trust levels at a per-device level is nuts - and wholly 
non-scalable.

If you don't want to see ROAs from a specific source, then don't import 
their TAL.

Nick