Dear Martin, On Wed, Oct 11, 2023 at 10:01:53AM +0200, Martin Pels wrote:
I think this is important work.
Thanks!
As you indicated in your mail you have spent quite some time compiling the constraints files in the appendix. Keeping them up to date requires tracking allocations and policy developments in all RIRs. It reminds me of bogon filters for unallocated IP space, and the associated problems of networks not updating them [0].
Yes, indeed there is a burden associated with this risk mitigation approach. I deem tracking of ratified policies in all RIRs feasible, but yeah... it'll definitely be a recurring quarterly todo item. The current approach in developing these default constraint listings is to focus on coarse-grained filters, and not bother to document unallocated space because the resulting churn would hard to manage & distribute.
So while each RP should be able to make policy decisions based on its own local criteria, managing a default set of constraints is something that is best done centralized. Who do you envision should manage these lists? RP software maintainers? RIRs? Others?
I guess initially it'll be the RP developers (like me), because who else is chartered to produce such listings at this moment? I do intend to keep [1] updated. Would you like to help? :-) I envision the default constraints can be distributed via packages like rpki-trust-anchors [2] and integral in operating systems like OpenBSD in order to reduce the burden on operators. A potential follow-up exercise here could be to propose to increase the level of detail in IANA's IPv4 Address Space Registry [0] by - for example - documenting the longer-than-/8 blocks each RIR transferred to AFRINIC when AFRINIC was instantiated. Kind regards, Job [0]: https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml [1]: https://www.ietf.org/archive/id/draft-snijders-constraining-rpki-trust-ancho... [2]: https://packages.debian.org/stable/rpki-trust-anchors