On Mon, Feb 6, 2012 at 1:35 AM, Mark Tinka <mtinka@globaltransit.net> wrote:
On Monday, February 06, 2012 01:14:20 PM Christopher Morrow
We manually check the RIR WHOIS database. I'm sure some
do you have customers with 10k long prefix lists? it gets hard when the lists get long, or the data is for downstream folks of your customer. Good that someone's checking though, I'd love to see this part automated.
resource certification would at least get us to the point where checking the data in the IRR is 'easy', it's not going to get people to PUT FILTERS ON CUSTOMER SESSIONS, and it's not going to get people to update their IRR objects (add AND DELETE!!!)
I support RPKI, but also realize that operator support will take a very long time for various reasons, e.g., education, delayed software upgrades, persistence with older methods, fear of centralization, e.t.c.
In such a case, operators will need to support "Invalid" and "NotFound" states of origin information for a long time. As
RPKI doesn't necessarily mean that the router knows anything about certificates in the short-term. I think there's a time when 'the resource certification system' (which is really, today, the rpki) holds cert/roa data that you could use to filter what the IRR tells you for a customer. You could even do this in any automated manner!
adoption and deployment increases, operators can begin dropping "Invalid" results, "NotFound" results, or both. Or even mark them down with poor LOCAL_PREF values so as not to use those routes for forwarding unless it is really necessary.
The time between the previous and next paragraphs though is when all isp's will need to beat the drums with their customers saying: "Hey, you REALLY need to get that shit into the 'resource certification system' (rpki), NOW." (because shortly we'll stop accepting your "invalid" routes... and then the interwebs won't be able to find you, and we'll all be sad.)
At some point, when diffusion of RPKI is sufficiently prolific, anything that does not return a "Valid" result will be dropped. This should force every operator around the world to support it, much like the large carriers forced us all to use IRR's just so they won't ignore our routes, wherever we are in the world.
But before all this happens, we have to prevent more hijacks. And we have to use the tools we have today.
sure... it's not working so well though :(