On Fri, May 3, 2013 at 2:21 PM, Nick Hilliard <nick@foobar.org> wrote:
On 03/05/2013 19:08, Christopher Morrow wrote:
hopefully it won't involve people being brave :) hopefully good measurement and metrics lead us to a position where things 'just work' and we can do it with confidence! :)
dropping prefixes means that you're ok about not having reachability to a prefix if its roa pops up as "unknown". This could be because the prefix holder hasn't bothered to register their prefix in the rpki (i.e. sloppiness), or it could be because the ROA has been revoked for some reason (e.g. because of hijacking). For sure, a router can't tell the difference.
right, in the ideal tomorrow-tomorrow-land ... this all is part of turnup and the timelines associated with propogation/etc are all known and accounted for. Additionally, the systems involved are all well understood and redundant/resilient/etc. in short, in the tomorrow-tomorrow-land... this all just works as we expect/want, and the only 'unknown' are actually 'invalid'.
From a deployment point of view, there's a pretty big gap between poking around with rpki and actually dropping prefixes on your routers. I don't see that the rpki dat a will be good enough for the latter any time soon, but maybe one day.
right, no problem with this.
Nick