[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[safnog] RPKI discussions
- Subject: [safnog] RPKI discussions
- From: nishal at controlfreak.co.za (Nishal Goburdhan)
- Date: Mon, 13 Apr 2015 11:45:13 +0200
- In-reply-to: <[email protected]>
- References: <[email protected]>
On 12 Apr 2015, at 09:33, Frank Habicht <geier at geier.ne.tz> wrote:
> Dear friends-in-RPKI,
> I want to say(write) something about the discussion regarding RPKI after
> Amreesh's talk, during the meeting in beautiful Swaziland.
> I like it that he mentioned specifics, like the AS and prefix involved.
> So one invalid prefix was/is seen.
> I got that right that the number of invalid prefixes from that ASN we
> discussed about is one (1) - right ??
no. more than one. what he said (paraphrased) was: "the most common problem we see is leaking of more specifics. here?s one example ? "
btw - if you?re interested enough, you can run your own validator. i do this at home using the RIPE NCC validator. (see www.rpki.co.za)
> 1. so that AS did something right (create ROA(s)) and then some little
> thing wrong (announce an invalid more specific).
> And that poor representative there got a lot of heat for it.
i would hardly call a spirited discussion ?heat?. :-)
let?s be clear here - riaan?s first explanation was the ?why? they de-aggregated.
and the message (at least RPKI wise) is clear; we don?t care that you did de-aggregate (3741 manages its de-aggreation better than most?).
we care that you de-aggregated, and then didn?t create the necessary ROA.
for a counter-example, see the ROAs for 184.108.40.206/24 and 220.127.116.11/23
> My wild guess is that over half of the ASNs present there didn't even
> create any ROAs. I certainly haven't done that yet.
> That means I have done nothing. Nothing right and nothing bad.
> Why not bash us who're not doing anything about RPKI?
because an INVALID is worse off than an UNKNOWN.
> But now my incentives have gone into the negative. Also because of 2. below.
> Was that the intention?
good question; should we be using DNSSEC even if it means that things like .KE drop off the internet ? :-)
it?s clear to me that lots more education is needed here. and lots more attention needs to be paid to the 110% operation - including RIR uptime.
if RPKI validation is expected to take off, then, these little faux pas can?t be allowed to happen.
and all of this is only driven by operator/member interest and support.
> 2. So how was it noticed that this (invalid) more specific was announced?
> Did some networks accept it?
> Oh no! Wasn't this RPKI thing so that mis-originations are not accepted?
> That's why I asked, and only one person in the meeting said he did not
> accept this prefix. Thanks Nishal. But I'm not sure we can call this a
> "network" that was dropping that prefix, can we?
i run a validator at http://www.rpki.co.za for my own purposes. it only affects my home network at this point ;-)
i?ve found the RIPE NCC tools to be super stable (post .15), and heartily suggest you play around with it.
> So I'd like to say: this whole local-pref reduction is good for what....?
> Seems to me like the prefixes still make it everywhere they want to go,
> upstream, downstream, RIB, FIB, ...
> Is it for testing?
> pro-bono bug chasing for the vendors?
> Or is this a case of false advertising?
> I have to admit that i don't know enough about RPKI, so i might be
> missing something. Looking forward to being educated.
perhaps you can co-erce amreesh into doing an RPKI tools BOF at upcoming tunis, and, again, in namibia next year?