Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. NANOG>
  3. users
irrd 4.1.2 deployed at NTT
tboudreau at gin
Jun 9, 2021, 1:55 PM
Post #1 of 4 (154 views)
Permalink
Dear all,

I am Troy from NTT's Global IP Network IRR team.

Today we upgraded rr.ntt.net to IRRd 4.1.2!
This marks the completion of a multi-year initiative to seamlessly
integrate IRR and RPKI.

While this version might not seem remarkable, this change means that
NTT's IRR mirror service will now use RPKI Validated ROAs to filter
out invalid IRR objects! This filtering strategy is similar to RIPE-731.

Creation of RPKI ROAs will trigger deletion of conflicting IRR objects,
this helps clean up stale objects. Existing RPKI ROAs help prevent
future creation of unauthorized IRR objects.

Anyone using the rr.ntt.net service to build their filters will benefit
from this change!

See https://irrd.readthedocs.io/en/stable/admins/rpki/ for more information.

If you require any assistance, please send a message to the team at
db-admin@rr.ntt.net.

Kind regards,
Troy
Re: irrd 4.1.2 deployed at NTT [ In reply to ]
randy at psg
Jun 10, 2021, 11:08 AM
Post #2 of 4 (153 views)
Permalink
> this change means that NTT's IRR mirror service will now use RPKI
> Validated ROAs to filter out invalid IRR objects! This filtering
> strategy is similar to RIPE-731.
>
> Creation of RPKI ROAs will trigger deletion of conflicting IRR
> objects, this helps clean up stale objects. Existing RPKI ROAs help
> prevent future creation of unauthorized IRR objects.

cool!

what stands between my current world and when i can remove my irrd
instance and when i can remove (which) objects from the ripe whois?

< psa >

15-20 years back, when designing early rpki deployment, folk wanted the
irr to be equally if not more authoritative than the rpki. trust what
you are already familiar with. some where downright rabid about irr /
whois rulz.

the pendulum swings.

while i confess to helping to create this rpki origin validation
thingie, i would warn that it is pretty rigid. notice how many xnog
threads we see about broken dnssec or just dns meaning my.mtv is mot
reachable? this is analogous, except it is at the routing layer.

recommended actions:

get your roas correct and monitor their correctness

use an external service which ensures your roa data are propagating
correctly globally

use reliable and correct relying party softweare; there is crap
out there

monitor your routers to ensure that they are getting current relying
party data

familiarize your noc and engs with a toolset to provide assurance
of and debug all of the above

i am sure there are more things to do; and hope that wiser folk will
expand, comment, and correct.

randy

---
randy@psg.com
`gpg --locate-external-keys --auto-key-locate wkd randy@psg.com`
signatures are back, thanks to dmarc header butchery
Re: irrd 4.1.2 deployed at NTT [ In reply to ]
mark at tinka
Jun 11, 2021, 9:56 AM
Post #3 of 4 (153 views)
Permalink
On 6/10/21 20:08, Randy Bush wrote:

> i am sure there are more things to do; and hope that wiser folk will
> expand, comment, and correct.

Stay far away from AS0...

Mark.
Re: irrd 4.1.2 deployed at NTT [ In reply to ]
randy at psg
Jun 11, 2021, 12:50 PM
Post #4 of 4 (152 views)
Permalink
>> i am sure there are more things to do; and hope that wiser folk will
>> expand, comment, and correct.
>
> Stay far away from AS0...

one of 42 ways, invented by clever people, to shoot yourself in the foot

randy

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal