[DBWG] route-object auto-created from a ROA

Nishal Goburdhan nishal at controlfreak.co.za
Wed Oct 17 12:50:34 UTC 2018

> Avinash wrote:

sorry for the out of thread reply;  i just realised i wasn’t sub’d 
to this list :-/

> Thanks for the encouraging words.
> To answer your question, we need to be sufficiently confident that 
> such
> a tool will be useful and actually used by members.

i am an afrinic member.  i asked for this feature.  so i will use it.  
and i will add this to the training workshops that i teach.  so i 
imagine those students will use it too.  and i am sure that frank 
implied that he would use it.  edd too.  both of whom are afrinic 

let’s take a step back for a second.  this history to this request, is 
that i want you (afrinic) to make it easier to interact with your IRRDB. 
  regardless of what you think now, a large percentage of your 
membership feel the IRR is “not easy to use”.  yes, some of those 
people have no problem using the front-end of your RPKI engine.  i’ve 
been asking you to fix your IRRDB interface for a while now, but the 
last response i received, at the recent SAFNOG event was :  “we can 
not commit to a date”.  (it’s in the video archive if you care to 
look it up ..)

given that you have something that’s relatively easy to use  (the RPKI 
given that you have rules that govern the data that goes into your RPKI 
system that keep this “clean”.
given that people that care enough about routing security will likely 
have ROAs  *and* IRRDB objects.
given that this seems like an unnecessary duplication ..
i think it’s a safe bet that, if the system is in place, and easy to 
use, people (your members) will use it.

> As for the implementation, I think we can make it quite simple.

when i asked about creating objects using my.afrinic i was given the 
proverbial run-around.  :-)
so, i am super-happy to see that the people that will be responsible for 
the work, think this is “quite simple”  :-)

(and, btw, you’ll also need to allow, *at least* as-sets)

> Create and Delete, as required, only route & route(6) objects via 
> someone does not wish to issue ROAs, she may still use the current
> method to create her route objects.
> However, if she wishes to issue ROAs, then when submitting the ROA 
> form
> on MyAFRINIC, we can lookup the existing route objects and if there 
> are
> some missing, ask if these need to be created. For that we will need 
> to
> have another form to capture and validate input for the other 
> attributes
> of the route object.
> Similarly, when someone wishes to revoke her ROA, we may lookup the
> route objects and delete them if she so wishes.
> In this scenario, we do not really have to worry about route objects
> being modified, since only the attributes "route" & "origin" are 
> common
> to a ROA.

i think that what’s important is that you design so that there is as 
little pollution as possible, and it’s made as easy as possible.  
you’ve laid out a simple enough framework;  if you’d like us to 
comment more on it, i am sure people here will be happy to, but i think 
it would be more constructive if you have the discussion internally, and 
perhaps present here your workflow?

> However, in the event that a route object is deleted directly on the
> WHOIS, the ROA cannot be automatically revoked.


there’s also no reason you can’t incorporate a check to see if ROA 
matches or equals IRRDB object equals BGP announcement, and signal that 
to your member, *along* with a  what/how to fix.   (obligatory hat tip 
to irrexplorer!)

so now to echo the rest in the thread;  how soon can you have this done? 
  ;-)   of course, you can have different bits of this done in different 
stages too  (ie. ver1, ver2, ..) and i’m sure that will assuage 
members’ feelings towards these important activities ..


More information about the DBWG mailing list