Dear Jon, group, On Wed, Jun 17, 2020 at 10:25:14AM -0400, Jon Lewis wrote:
On Mon, 15 Jun 2020, Mike Leber via NANOG wrote:
I'm pleased to announce Hurricane Electric has completed our RPKI INVALID filtering project and we now have 0 RPKI INVALIDs in our routing table.
Hurricane Electric has 29021 BGP sessions with 22109 prefix filters with 7191 networks directly and 8239 networks including Internet exchanges.
The flip side of this though is that every time an IP space owner publishes an ROA for an aggregate IP block and overlooks the fact that they have customers BGP originating a subnet of the aggregate with an ASN not permitted by an ROA, HE has "less than a full table". :(
Do you remember the old BSD paradigm? ... "less is more" I think it applies here. We are now in a time where a *smaller* routing table entry list count is preferable to a 'full' table, because the fullest table is likely to also include problematic BGP routing information. It is important to recognise that RPKI ROA creation is an *OPTIONAL* protection mechanism. If you create ROAs, you indeed can harm your network, but at the same time, if you create the ROAs correctly, you will gain massive benefits. RPKI ROA creation is a big hammer. Everyone needs to think carefully about each ROA they create and if it will positively or negatively impact their network. NTT spend *months* creating ROAs for all the prefixes, researching for each BGP announcement if the ROA would be good or bad. We now got virtually all our space covered by ROAs, it'snice.
i.e. I'm questioning whether the system is mature enough and properly used widely enough for dropping RPKI invalids to be a good idea?
Yes. "We made an impossible bird, and it was able to fly". :-) The global deployment of RPKI ROV in the BGP Default-Free Zone already is a fact, we made it work! All carriers that keep the Internet connected together, and care about preventing routing incidents - are committed to this effort. Thousands of people are now involved at this point. What now remains.. is polishing away some of the sharp edges [1][2][3][4], and bikeshedding about some of the colors :-) The below links are like an 'ala carte menu', anyone can engage in discussions about RPKI at any level they feel comfortable with. Many people are looking for feedback and input through different forums on what and how to build it. Pick a platform you enjoy engaging on and participate (and stick around on this mailing list, all good)! :) Kind regards, Job [1]: https://www.youtube.com/watch?v=oBwAQep7Q7o [2]: https://mailarchive.ietf.org/arch/msg/sidrops/ayCQbKvJZmE5TGq9IxL9qUM-zQ4/ [3]: https://github.com/RIPE-NCC/rpki-validator-3/issues/158 [4]: https://twitter.com/routinator3000/status/1255439035553779713