[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Starting to Drop Invalids for Customers
- Subject: Starting to Drop Invalids for Customers
- From: nanog at as397444.net (Matt Corallo)
- Date: Wed, 11 Dec 2019 20:35:28 +0000
- In-reply-to: <CAL9jLaYdRYsX_RHuTCMx5d3oQYUV=6u=D5ZHm2nd411ovk+gmQ@mail.gmail.com>
- References: <CAL9jLaZNdL8r9VMfMjFwfH5W2Z603m8o46p3uo3sJR7xQmvG=w@mail.gmail.com> <[email protected]> <CAL9jLaYdRYsX_RHuTCMx5d3oQYUV=6u=D5ZHm2nd411ovk+gmQ@mail.gmail.com>
Ah, right. Fair. I was responding, I suppose, to Rubens' original
description, which was exactly this.
On 12/11/19 5:08 PM, Christopher Morrow wrote:
> On Wed, Dec 11, 2019 at 11:35 AM Matt Corallo <nanog at as397444.net> wrote:
>>
>> Right, but youâ??re also taking a strong, cryptographically-authenticated system and making it sign non-authenticated data. Please donâ??t do that. If you want to add the data to RPKI, there should be a way to add the data to RPKI, not sign away control of your number resources to unauthenticated sources.
>>
>
> I don't think that's what I was saying, at all, actually.
>
> I was saying:
> "I assume you must have some system to create IRR data, that system
> knows: '1.0.1.0/24 ASFOO MAINT-FOOBAR' is ok."
>
> that system could now add '1.0.1.0/24 ASFOO' to the RPKI.
>
> Where does that say: "make it sign unauthenticated data" ?
>
>>> On Dec 11, 2019, at 10:17, Christopher Morrow <morrowc.lists at gmail.com> wrote:
>>>
>>> On Wed, Dec 11, 2019 at 5:52 AM Rubens Kuhl <rubensk at gmail.com> wrote:
>>>>
>>>>
>>>>>
>>>>>> Which brings me to my favorite possible RPKI-IRR integration: a ROA that says that IRR objects on IRR source x with maintainer Y are authoritative for a given number resource. Kinda like SPF for BGP.
>>>>>>
>>>>>
>>>>> Is this required? or a crutch for use until a network can publish all
>>>>> of their routing data in the RPKI?
>>>>>
>>>>
>>>> It provides an adoption path based on the information already published in IRRs by operators for some years. It also covers for the fact that RPKI currently is only origin-validation.
>>>
>>> I would think that if you(royal you) already are publishing:
>>> "these are the routes i'm going to originate (and here are my customer lists)"
>>>
>>> and you (royal you) are accepting the effort to publish 1 'new' thing
>>> in the RPKI.
>>>
>>> you could just as easily take the 'stuff I'm going to publish in IRR'
>>> and 'also publish in RPKI'.
>>> Right? So adoption path aside, because that seems like a weird
>>> argument (since your automation to make IRR data appear can ALSO just
>>> send rpki updates), your belief is that: "Hey, this irr object is
>>> really, really me" is still useful/required/necessary/interesting?
>>>
>>> -chris
>>