[safnog] RPKI discussions

Nishal Goburdhan nishal at controlfreak.co.za
Mon Apr 13 09:45:13 UTC 2015


On 12 Apr 2015, at 09:33, Frank Habicht <geier at geier.ne.tz> wrote:

> Dear friends-in-RPKI,
> I want to say(write) something about the discussion regarding RPKI after
> Amreesh's talk, during the meeting in beautiful Swaziland.
> I like it that he mentioned specifics, like the AS and prefix involved.
> So one invalid prefix was/is seen.
> I got that right that the number of invalid prefixes from that ASN we
> discussed about is one (1) - right ??

no.  more than one.  what he said (paraphrased) was:  "the most common problem we see is leaking of more specifics.  here’s one example … "
btw - if you’re interested enough, you can run your own validator.  i do this at home using the RIPE NCC validator.  (see www.rpki.co.za)


> 1. so that AS did something right (create ROA(s)) and then some little
> thing wrong (announce an invalid more specific).
> And that poor representative there got a lot of heat for it.

i would hardly call a spirited discussion “heat”.   :-)
let’s be clear here - riaan’s first explanation was the “why” they de-aggregated.  
and the message (at least RPKI wise) is clear;  we don’t care that you did de-aggregate  (3741 manages its de-aggreation better than most…).
we care that you de-aggregated, and then didn’t create the necessary ROA.

for a counter-example, see the ROAs for 196.4.160.0/24 and 196.4.160.0/23

qed.


> My wild guess is that over half of the ASNs present there didn't even
> create any ROAs. I certainly haven't done that yet.
> That means I have done nothing. Nothing right and nothing bad.
> Why not bash us who're not doing anything about RPKI?

because an INVALID is worse off than an UNKNOWN.


> But now my incentives have gone into the negative. Also because of 2. below.
> Was that the intention?


good question;   should we be using DNSSEC even if it means that things like .KE drop off the internet ?    :-)

it’s clear to me that lots more education is needed here.  and lots more attention needs to be paid to the 110% operation - including RIR uptime.  
if RPKI validation is expected to take off, then, these little faux pas can’t be allowed to happen.
and all of this is only driven by operator/member interest and support.  


> 2. So how was it noticed that this (invalid) more specific was announced?
> Did some networks accept it?
> Oh no! Wasn't this RPKI thing so that mis-originations are not accepted?
> That's why I asked, and only one person in the meeting said he did not
> accept this prefix. Thanks Nishal. But I'm not sure we can call this a
> "network" that was dropping that prefix, can we?

i run a validator at http://www.rpki.co.za for my own purposes.  it only affects my home network at this point ;-)
i’ve found the RIPE NCC tools to be super stable (post .15), and heartily suggest you play around with it.  


> So I'd like to say: this whole local-pref reduction is good for what....?
> Seems to me like the prefixes still make it everywhere they want to go,
> upstream, downstream, RIB, FIB, ...
> 
> Is it for testing?
> pro-bono bug chasing for the vendors?
> Or is this a case of false advertising?
> 
> I have to admit that i don't know enough about RPKI, so i might be
> missing something. Looking forward to being educated.

perhaps you can co-erce amreesh into doing an RPKI tools BOF at upcoming tunis, and, again, in namibia next year? 

—n.


More information about the safnog mailing list