[RPKI-Discuss] [routing-wg] RPKI Route Origin Validation on RIPE NCC Network

[Carlos M. Martinez]

Hi Patrick!

On 3 Jun 2021, at 15:01, Patrick Okui wrote:


> In general I feel that organisations that publish RPKI data should 

> also reject invalids, or we end up possibly passing on hijacked 

> announcements which we set out to stop in the first place.


It depends on whether it makes sense to reject invalids or not. I work 
for LACNIC so I feel free to use my network as an example.

LACNIC operates two autonomous systems, 28000 and 28001. AS 28000 is our 
network in Montevideo, Uruguay and 28001 is our POP in Sao Paulo, 
Brazil.

AS 28000 (MVD), due to the limited nature of the telecom services we 
have access to in Montevideo, does not receive full routing and thus 
needs a default route. In this case, rejecting invalids makes no sense 
and it’s actually irrelevant. We do reject invalids so we can measure 
it, but in terms of traffic makes no difference whatsoever.

AS 28001 (GRU) does get full routing and peers to IX.br. In this case it 
does make sense to reject invalids.

So, IMO, ROV (either rejecting invalids or doing what you think is 
appropriate) is a distinct operation from creating ROAs and I believe 
that at this point in time every resource holder should be creating 
their ROAs, but implementing ROV is something that it might or might not 
make sense to a particular network.


Hope this helps.

/Carlos