[GTER] [lacnog] Hijack de prefixo em IRR

Rubens Kuhl rubensk at gmail.com
Mon Sep 16 00:26:45 -03 2019


>
>
>
> At some point in the future completely drop IRR...??? :-)))
>

For that point, RPKI would have to provide both origin validation and path
validation.
In my time as a network operator I suffered 0 origin validation issues (no
one attempted to announce the IP blocks originating from a different ASN)
but a handful of path validation issue (people erroneously taking peering
announcements and forwarding them to transit).

Since RPKI currently has no path validation, the operational gain of having
RPKI would have been zero.

Don't get me wrong: I know it's foundational and the future might bring a
path validation mechanism, but forward-looking is all that RPKI can be at
this point.


>
> If one owns (or have usage rights over a prefix) why isn't one able to
> create ROAs...?
> (some legacy resource holders which don't want to pay for the service
> might by the exception, i know...)
>

It requires support from your NIR or LIR if you are delegated directly by
an RIR.


>
> I wasn't really aware of this "issue".
> Isn't the service accessible through LACNIC...?
>
>
No, because LACNIC can't say for sure who they are, only NIC.br can.
NIC.br is forecasting RPKI availability for this calendar year, and is also
funding NLNetLabs development of an RPKI toolchain that will allow both
resource holders and NIC.br to use up/down protocol to request and sign
ROAs, and will also provide a publishing point for ROAs. This will likely
also allow current LACNIC RPKI users, which can only use the hosted model,
to move to up/down RPKI, but I can't point to specific announcements of
that feature.


Rubens


More information about the gter mailing list