[RPKI-Discuss] [routing-wg] RPKI Route Origin Validation on RIPE NCC Network

Ben Maddison benm at workonline.africa
Fri Jun 4 07:07:19 UTC 2021

Previous message: [RPKI-Discuss] [routing-wg] RPKI Route Origin Validation on RIPE NCC Network
Next message: [RPKI-Discuss] Fwd: [routing-wg] Ending Support for the RIPE NCC RPKI Validator
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Patrick, all,

On 06/03, Patrick Okui wrote:

> I was hoping someone else would respond before me:

>

Thanks for bumping this back up to the top of the list - I totally
forgot to respond the first time around.

> In general I feel that organisations that publish RPKI data should

> also reject invalids, or we end up possibly passing on hijacked

> announcements which we set out to stop in the first place.

>

> However, AFRINIC is one of the atypical organisations that may not do

> that at least not for all their network for the very same reasons

> spelt out in the first part of that article.

>

I disagree, for the same reason that I disagreed when Nathalie asked
about the RIPE case.

Afrinic is a network operator. Network operators should drop ROV
Invalids. Full stop.

We're not suggesting that Afrinic should accept routes for 10/8, right?

Intelligence gathering in the DFZ has requirements that are totally
orthogonal to the requirements of a network that actually forwards
packets.
This is what route-views and RIS are there for. If we want (and we do)
better visibility into the DFZ in our region (including, seeing Invalids
and who is carrying them) then we should focus on improving collector
deployment on the continent.

AIRS is a welcome initiative. I am looking forward to it being more than
a re-branded web interface!

The edge of the Afrinic network is not the place to do this, not least
for the reason that the information visibility there will be dependent
on the routing policies of Afrinic's peers and transits.

A couple of safeguards might be sensible (although, for me, they should
not be blockers to the routing policy change):

- A UI warning could be provided if a member is about to create a ROA
that would kick them out of MyAfrinic
- A member's MyAfrinic IP whitelist (these are supported, I think?) must
contain a network not covered by a ROA issued by the same member

Cheers,

Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.afrinic.net/pipermail/rpki-discuss/attachments/20210604/1d523819/attachment.sig>

Previous message: [RPKI-Discuss] [routing-wg] RPKI Route Origin Validation on RIPE NCC Network
Next message: [RPKI-Discuss] Fwd: [routing-wg] Ending Support for the RIPE NCC RPKI Validator
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the RPKI-Discuss mailing list