On 08/11/2011 21:32, Valdis.Kletnieks@vt.edu wrote:
Anybody who puts their rpki cache someplace that isn't accessible until they get the rpki initialized gets what they deserve.
One solution is to have directly-connected rpki caches available to all your bgp edge routers throughout your entire network. This may turn out to be expensive capex-wise, and will turn out to be yet another critical infrastructure item to maintain, increasing opex. Alternatively, you host rpki caches on all your AS-edge routers => upgrades - and lots of currently-sold kit will simply not handle this sort of thing properly.
Once you realize this, the rest of the "what do we do for routing until it comes up" concern trolling in the rest of that paragraph becomes pretty easy to sort out...
I humbly apologise for expressing concern about the wisdom of imposing a hierarchical, higher-layer validation structure for forwarding-info management on a pre-existing lower layer fully distributed system which is already pretty damned complex... What's that principle called again? Was it "Keep It Complex, Stupid"? I can't seem to remember :-)
Caching just enough to validate the routes you need to get to a more capable rpki server shouldn't have a high write life-cycle.
Lots of older flash isn't going to like this => higher implementation cost due to upgrades.
Heck, you could just manually configure a host route pointing to the rpki server...
Yep, hard coding things - good idea, that.
And it would hardly be the first time that people have been unable to deploy feature XYZ because it wouldn't fit in the flash on older boxes still in production.
This is one of several points I'm making: there is a cost factor here, and it's not clear how large it is. Nick