Search RPD Archives
[rpd] RPKI ROAs for Unallocated and Unassigned AFRINIC Address Space AFPUB-2019-GEN-006-DRAFT02
Nishal Goburdhan
nishal at controlfreak.co.za
Thu Sep 17 17:29:34 UTC 2020
On 17 Sep 2020, at 11:08, Ben Maddison via RPD wrote:
hi ben,
> Thus, today, a de-registration probably results in a partial outage
> that
> can be worked-around, rather than a near-total outage that cannot.
this was definitely true 5 years ago.
but it is less true every day now; pick your favourite modern
network/CDN/IXP and i bet that they are busy implementing, if they
already haven’t done this. and even if you discount the “large”
networks, there are many folks that spend their time teaching
networks/ixps in-region how to do this (guilty!) to improve the state of
overall network filtering. even afrinic does this now ;-)
and let’s be clear about “the workaround” - there’s the same
level of work required to get a missing IRR entry installed, *for an
allocation that has gone missing at RIR level*, or to fix an AS0 ROA.
in fact, since most networks have automatic retrieval, a new ROA is
likely to be updated *FASTER* than an errant IRR object (where filters
are built usually once a day)
but that’s not really the genesis of the argument, and i am sure
we’ll meet somewhere and can continue this .. :-)
> This is either a feature or a bug in the policy, depending on your
> point
> of view regarding a specific de-registration case!
>
> I would suggest the following modifications, in order to alleviate
> some
> of the risks inherent in the current draft:
> 1. The automatic creation of AS0 ROAs should be limited to space that
> has never been allocated by an RIR or part of a legacy allocation.
> 2. AFRINIC should require the explicit consent of the previous holder
> to issue AS0 ROAs in respect of re-claimed, returned, etc, space.
> 3. Any ROAs issued under this policy should be issued and published
> in
> a way that makes it operationally easy for an relying party to
> ignore them (probably by issuing under a separate TA)
rather than nitpick, i think that these are implementation issues, and
that there is sufficient clue in this community to put in checks and
balances like this, in an _implementation_ plan, which need not be
codified in a policy statement. i mean, just in the past two days
alone, a whole new crop of RPKI experts has shown up ..
—n.
More information about the RPD
mailing list