Christopher Morrow wrote on 11/12/2019 03:45:
On Tue, Dec 10, 2019 at 7:32 PM Rubens Kuhl <rubensk@gmail.com> wrote:
Which brings me to my favorite possible RPKI-IRR integration: a ROA that says that IRR objects on IRR source x with maintainer Y are authoritative for a given number resource. Kinda like SPF for BGP.
Is this required? or a crutch for use until a network can publish all of their routing data in the RPKI?
it sounds like a great idea which is a terrible idea. Each operator will make their own choice about what RPKI TALs to accept. Once they're loaded up on the rpki caches, do you really want to push more complexity down to the router control plane with and start making per-device choices about how to handle the trust level of each individual ROA? The internet dfz is already being killed with complexity. Configuring per-prefix trust levels at a per-device level is nuts - and wholly non-scalable. If you don't want to see ROAs from a specific source, then don't import their TAL. Nick