Re: Acceptance of RPKI unknown in ROV
On Thu, 19 Oct 2023 at 11:56, Owen DeLong <owen@delong.com> wrote:
On Thu, 19 Oct 2023 at 11:46, Owen DeLong via NANOG <nanog@nanog.org> wrote:
A question for network operators out there that implement ROV…
Is anyone rejecting RPKI unknown routes at this time?
I know that it’s popular to reject RPKI invalid (a ROA exists, but doesn’t match the route), but I’m wondering if anyone is currently or has any plans to start rejecting routes which don’t have a matching ROA at all?
This would be a bad idea and cause needless fragility in the network without any upsides.
I’m not intending to advocate it, I’m asking if anyone is currently doing it.
I’m not aware of anyone doing this, and have not heard operators express interest in doing this (probably because it seems such an unpleasant concept). Somewhat related: I do know of operators that require a ROA (if it’s non-legacy space) during their customer onboarding process, for example, in BOYIP for DIA cases. But those operators do not expect the ROA to continually exist after the provisioning has been completed successfully. Making the continued availability of a route dependent on the continued validity of a ROA is where friction starts to form. Kind regards, Job
On 20-Oct-2023, at 00:35, nanog@nanog.org wrote:
On Thu, 19 Oct 2023 at 11:56, Owen DeLong <owen@delong.com <mailto:owen@delong.com>> wrote:
On Thu, 19 Oct 2023 at 11:46, Owen DeLong via NANOG <nanog@nanog.org <mailto:nanog@nanog.org>> wrote:
A question for network operators out there that implement ROV…
Is anyone rejecting RPKI unknown routes at this time?
I know that it’s popular to reject RPKI invalid (a ROA exists, but doesn’t match the route), but I’m wondering if anyone is currently or has any plans to start rejecting routes which don’t have a matching ROA at all?
This would be a bad idea and cause needless fragility in the network without any upsides.
I’m not intending to advocate it, I’m asking if anyone is currently doing it.
I’m not aware of anyone doing this, and have not heard operators express interest in doing this (probably because it seems such an unpleasant concept).
Somewhat related:
I do know of operators that require a ROA (if it’s non-legacy space) during their customer onboarding process, for example, in BOYIP for DIA cases.
In my region also, ISPs are asking valid ROAs before on-boarding users.
But those operators do not expect the ROA to continually exist after the provisioning has been completed successfully. Making the continued availability of a route dependent on the continued validity of a ROA is where friction starts to form.
Kind regards,
Job
participants (2)
-
Gaurav Kansal -
Job Snijders