[safnog] RPKI discussions
nishal at controlfreak.co.za
Mon Apr 13 09:45:13 UTC 2015
On 12 Apr 2015, at 09:33, Frank Habicht <geier at geier.ne.tz> wrote:
> Dear friends-in-RPKI,
> I want to say(write) something about the discussion regarding RPKI after
> Amreesh's talk, during the meeting in beautiful Swaziland.
> I like it that he mentioned specifics, like the AS and prefix involved.
> So one invalid prefix was/is seen.
> I got that right that the number of invalid prefixes from that ASN we
> discussed about is one (1) - right ??
no. more than one. what he said (paraphrased) was: "the most common problem we see is leaking of more specifics. here’s one example … "
btw - if you’re interested enough, you can run your own validator. i do this at home using the RIPE NCC validator. (see www.rpki.co.za)
> 1. so that AS did something right (create ROA(s)) and then some little
> thing wrong (announce an invalid more specific).
> And that poor representative there got a lot of heat for it.
i would hardly call a spirited discussion “heat”. :-)
let’s be clear here - riaan’s first explanation was the “why” they de-aggregated.
and the message (at least RPKI wise) is clear; we don’t care that you did de-aggregate (3741 manages its de-aggreation better than most…).
we care that you de-aggregated, and then didn’t create the necessary ROA.
for a counter-example, see the ROAs for 18.104.22.168/24 and 22.214.171.124/23
> My wild guess is that over half of the ASNs present there didn't even
> create any ROAs. I certainly haven't done that yet.
> That means I have done nothing. Nothing right and nothing bad.
> Why not bash us who're not doing anything about RPKI?
because an INVALID is worse off than an UNKNOWN.
> But now my incentives have gone into the negative. Also because of 2. below.
> Was that the intention?
good question; should we be using DNSSEC even if it means that things like .KE drop off the internet ? :-)
it’s clear to me that lots more education is needed here. and lots more attention needs to be paid to the 110% operation - including RIR uptime.
if RPKI validation is expected to take off, then, these little faux pas can’t be allowed to happen.
and all of this is only driven by operator/member interest and support.
> 2. So how was it noticed that this (invalid) more specific was announced?
> Did some networks accept it?
> Oh no! Wasn't this RPKI thing so that mis-originations are not accepted?
> That's why I asked, and only one person in the meeting said he did not
> accept this prefix. Thanks Nishal. But I'm not sure we can call this a
> "network" that was dropping that prefix, can we?
i run a validator at http://www.rpki.co.za for my own purposes. it only affects my home network at this point ;-)
i’ve found the RIPE NCC tools to be super stable (post .15), and heartily suggest you play around with it.
> So I'd like to say: this whole local-pref reduction is good for what....?
> Seems to me like the prefixes still make it everywhere they want to go,
> upstream, downstream, RIB, FIB, ...
> Is it for testing?
> pro-bono bug chasing for the vendors?
> Or is this a case of false advertising?
> I have to admit that i don't know enough about RPKI, so i might be
> missing something. Looking forward to being educated.
perhaps you can co-erce amreesh into doing an RPKI tools BOF at upcoming tunis, and, again, in namibia next year?
More information about the safnog