[RPKI-Discuss] [routing-wg] RPKI Route Origin Validation on RIPE NCC Network

Frank Habicht geier at geier.ne.tz
Fri Jun 4 05:09:14 UTC 2021


Hi,

I think there are contradicting requirements
a) do the right thing, reject invalid, clean stable network
b) have more info about RPKI (invalids)

So I guess there could/should be a split into 2 ASes:
1. for corporate, office, servers, services, almost everything
2. for research department, also to be used by training

The (1.) "normal" network can go ahead drop invalids, secure network per
BCP.
The (2.) "research" network should try to get more BGP feeds, even from
providers who are not dropping invalids, at minimal bandwidth, and
possibly unrelated location.

So I'd say:
research: get your own ASN (and router)
training: tell research which data you need, let them get it

Regards,
Frank


On 04/06/2021 07:53, Musa Stephen Honlue wrote:

> Hi 

>

> Sent from my iPhone

>

>> On 3 Jun 2021, at 22:24, Patrick Okui <pokui at psg.com> wrote:

>>

>> 

>>

>> On 3 Jun 2021, at 21:18 EAT, Carlos M. Martinez wrote:

>>

>> So, IMO, ROV (either rejecting invalids or doing what you think is

>> appropriate) is a distinct operation from creating ROAs and I

>> believe that at this point in time every resource holder should be

>> creating their ROAs, but implementing ROV is something that it

>> might or might not make sense to a particular network.

>>

>> Agreed, which is why I said “in general”. Security researchers for

>> example may want to ignore “valids” and mostly concentrate on “invalids”.

>>

>> However, if in general my ROAs do not result in a decent possibility

>> that a hijack will be dropped (until I go kicking and screaming) then

>> I have less incentive to create them. This is the chicken and egg

>> issue I’ve faced when preaching ROA generation.

>>

> I fully agree here.

>

> I mean, what is the essence of creating ROAs if no one is using them to

> stop propagating hijacks?

>>

>> --

>> patrick

>>

>> _______________________________________________

>> RPKI-Discuss mailing list

>> RPKI-Discuss at afrinic.net

>> https://lists.afrinic.net/mailman/listinfo/rpki-discuss

>

> _______________________________________________

> RPKI-Discuss mailing list

> RPKI-Discuss at afrinic.net

> https://lists.afrinic.net/mailman/listinfo/rpki-discuss

>




More information about the RPKI-Discuss mailing list