On 18 Sep 2022, at 20:42, Owen DeLong <owen@delong.com> wrote:
Since at its best, all RPKI can provide is a hint at how to properly lie about an announcement (i.e. what you must prepend in order for it to be believed), I remain unconvinced that it provides any actual benefit except, perhaps, to the largest and most well known ASNs as originators.
Owen
That’s not the point I’m making. You said something about the number of invalids and people making mistakes. I argue that may be because of ARIN’s service offering. After over a decade of service, I wonder why it’s not better. There is plenty of inspiration to take from the other RIRs. -Alex
On Sep 18, 2022, at 11:38 , Alex Band <alex@nlnetlabs.nl> wrote:
On 18 Sep 2022, at 20:17, Owen DeLong via NANOG <nanog@nanog.org> wrote:
On Sep 15, 2022, at 22:04 , Rubens Kuhl <rubensk@gmail.com> wrote:
On Fri, Sep 16, 2022 at 12:45 PM William Herrin <bill@herrin.us> wrote:
On Thu, Sep 15, 2022 at 9:09 PM Rubens Kuhl <rubensk@gmail.com> wrote:
On Fri, Sep 16, 2022 at 11:55 AM William Herrin <bill@herrin.us> wrote: > No, the best option for me right now is that I just don't participate > in RPKI and the system has one less participant. And that's a shame.
That's only true in the current environment where RPKI is only used to invalidate bogus routes. When any reachability for RPKI-unknowns is lost, that will change.
Hi Rubens,
If you want to bet me on folks ever deciding to discard RPKI-unknowns down in the legacy class C's I'll be happy to take your money.
I don't think people will look at even the class, and definitively not to legacy or non-legacy partitions. They will either drop it all, or not drop it at all.
Note that when the only IP blocks that spammers and abusers can inject in the system are non-signed ones, those blocks will get bad reputations pretty fast. So the legacy holders use case for RPKI might come sooner than you think.
Nah… Because the reputations will still be the individual /24s and while lots of /24s around mine have bad reputations, mine doesn’t and never has (modulo a couple of administrative errors that were on me and legitimately my fault, not actual spammers).
Anyway, the risk/reward calculation for NOT signing the LRSA right now is really a no-brainer. It's just unfortunate that means I won't get an early start on RPKI.
Discarding RPKI-invalids is something you can do right now and that doesn't come with a price tag. Good BCP38 and RPKI-invalid hygiene is the thankless gift you can give to the community.
Yes, but I think that RPKI unknowns are never going to be something that can be safely dropped and 90% of RPKI invalids so far seem to be people making RPKI mistakes with their legitimate announcements.
The more I look at RPKI, the more it looks like a lot of effort with very little benefit to the community.
While I’m sure that most would agree that RPKI offers at least some benefits, perhaps the problem is the cost/benefit of doing RPKI in the ARIN region compared to the rest of the world, e.g. ticketed requests to set it up, no indication of what the effect of your ROA is going to be before you publish, handling ROA expiry manually, etc.
In other regions using RPKI is orders of magnitude simpler to set up and maintain, and a lot less error prone. They provide alerting when your ROA do not seem to match what is seen in BGP, create matching route: objects, etc.
To illustrate, here’s a video of the RIPE NCC management UI from 2015 (!):
(And no, the nonrepudiation requirement in ARIN is not an excuse)
-Alex
YMMV
Owen