Search RPD Archives
Limit search to: Subject & Body Subject Author
Sort by:

[rpd] RPKI ROAs for Unallocated and Unassigned AFRINIC Address Space AFPUB-2019-GEN-006-DRAFT02

Nishal Goburdhan nishal at controlfreak.co.za
Thu Sep 17 17:29:34 UTC 2020


On 17 Sep 2020, at 11:08, Ben Maddison via RPD wrote:

hi ben,


> Thus, today, a de-registration probably results in a partial outage

> that

> can be worked-around, rather than a near-total outage that cannot.


this was definitely true 5 years ago.

but it is less true every day now; pick your favourite modern
network/CDN/IXP and i bet that they are busy implementing, if they
already haven’t done this. and even if you discount the “large”
networks, there are many folks that spend their time teaching
networks/ixps in-region how to do this (guilty!) to improve the state of
overall network filtering. even afrinic does this now ;-)

and let’s be clear about “the workaround” - there’s the same
level of work required to get a missing IRR entry installed, *for an
allocation that has gone missing at RIR level*, or to fix an AS0 ROA.
in fact, since most networks have automatic retrieval, a new ROA is
likely to be updated *FASTER* than an errant IRR object (where filters
are built usually once a day)

but that’s not really the genesis of the argument, and i am sure
we’ll meet somewhere and can continue this .. :-)



> This is either a feature or a bug in the policy, depending on your

> point

> of view regarding a specific de-registration case!

>

> I would suggest the following modifications, in order to alleviate

> some

> of the risks inherent in the current draft:

> 1. The automatic creation of AS0 ROAs should be limited to space that

> has never been allocated by an RIR or part of a legacy allocation.

> 2. AFRINIC should require the explicit consent of the previous holder

> to issue AS0 ROAs in respect of re-claimed, returned, etc, space.

> 3. Any ROAs issued under this policy should be issued and published

> in

> a way that makes it operationally easy for an relying party to

> ignore them (probably by issuing under a separate TA)


rather than nitpick, i think that these are implementation issues, and
that there is sufficient clue in this community to put in checks and
balances like this, in an _implementation_ plan, which need not be
codified in a policy statement. i mean, just in the past two days
alone, a whole new crop of RPKI experts has shown up ..

—n.



More information about the RPD mailing list