Fair point and you appear to be correct. I’ll caveat I’m speaking without concrete data, but I suspect that there are enough routes not held in RIR-hosted route servers that dropping the unauthenticated IRRs would be… impactful. -C

On Mar 21, 2025, at 08:56, Steven Wallace <ssw@internet2.edu> wrote:

Hi Chris,

I see SIX uses RADB, among other non-authenticated IRRs, so I assume routes don’t require an authenticated IRR route object?

thanks

steve On 21 Mar 2025, at 11:29, Chris Woodfield wrote:

SIX filters on both IRR data and RPKI validation: https://www.seattleix.net/route-servers

-Chris

On Mar 21, 2025, at 06:29, Steven Wallace via NANOG nanog@lists.nanog.org <mailto:nanog@lists.nanog.org> wrote:

Greetings,

Are many/any/most IXP route server operators filtering routes without authenticated (i.e., RIR-hosted) route objects?

thanks,

steve

Steven Wallace Director - Routing Integrity Internet2 ssw@internet2.edu <mailto:ssw@internet2.edu> NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/NMPVOLA5...

Steven Wallace Director - Routing Integrity Internet2 ssw@internet2.edu <mailto:ssw@internet2.edu>

Hi all, Malte’s email below is on point. The one addition I’d make is that most IXPs are not / would not use "non-authenticated IRRs” by default but rather on member request where they specify the IRRDB to query. This typically only happens for larger international networks rather than regional ones where they’d only be a member of a single RIR. Also, IRR data should only come into play after RPKI validation returns ‘unknown’. A standard algorithm is described here: https://docs.ixpmanager.org/latest/features/route-servers/#filtering-algorit... - Barry ------ Original Message ------ From "Malte Tashiro via NANOG" <nanog@lists.nanog.org> To nanog@lists.nanog.org Cc "Malte Tashiro" <malte@iij.ad.jp> Date 26/03/2025 03:20:08 Subject [NANOG] Re: Are IXP route server operators filtering routes that lack authenticated route objects

On 3/22/25 01:53, Chris Woodfield via NANOG wrote:

...

Fair point and you appear to be correct. I’ll caveat I’m speaking without concrete data, but I suspect that there are enough routes not held in RIR-hosted route servers that dropping the unauthenticated IRRs would be… impactful.

In the RIPE Connect-WG there are efforts to establish a BCP document to only use RIR IRRs for filtering.

As part of this there was a presentation at RIPE 88 [0] where someone from DE-CIX showed an impact analysis. Their takeaway is that dropping RADB would result in a loss of 11% of /24s and 250 Gbps traffic at peak, i.e., a significant amount. Other non-RIR IRRs contribute only a small amount.

There is a follow-up mail thread with lots of discussion [1] (which also has the full BCP draft attached), and in my understanding it seems to be normal operating practice to use non-authenticated IRRs (especially RADB).

So coming back to Steve's original question:

On 3/21/25 22:29, Steven Wallace via NANOG wrote:

...

Are many/any/most IXP route server operators filtering routes without authenticated (i.e., RIR-hosted) route objects?

If there is filtering in place, it seems like many IXPs allow non-authenticated route objects.

Best, Malte

[0] Video: https://ripe88.ripe.net/archives/video/1356/ Slides: https://ripe88.ripe.net/wp-content/uploads/presentations/87-RIPE88_RS_Propos... [1] https://mailman.ripe.net/archives/list/connect-wg@ripe.net/thread/FGUT3D37HO...