Mailing List Archive

Assuming unknown encompasses no roa at all, im inclined to say most probably haven’t because that would break a lot of things because a lot of folks don’t have ROAs at all and some don’t seem to even have a plan around implementing them.

J~

> On Oct 19, 2023, at 11:47, Owen DeLong via NANOG <nanog@nanog.org> wrote:
>
> ?A question for network operators out there that implement ROV…
>
> Is anyone rejecting RPKI unknown routes at this time?
>
> I know that it’s popular to reject RPKI invalid (a ROA exists, but doesn’t match the route), but I’m wondering if anyone is currently or has any plans to start rejecting routes which don’t have a matching ROA at all?
>
> Thanks,
>
> Owen
>

On Thu, 19 Oct 2023 at 11:46, Owen DeLong via NANOG <nanog@nanog.org> wrote:

> A question for network operators out there that implement ROV…
>
> Is anyone rejecting RPKI unknown routes at this time?
>
> I know that it’s popular to reject RPKI invalid (a ROA exists, but doesn’t
> match the route), but I’m wondering if anyone is currently or has any
> plans to start rejecting routes which don’t have a matching ROA at all?



This would be a bad idea and cause needless fragility in the network
without any upsides.

Regards,

Job

On Thu, 19 Oct 2023 at 11:56, Owen DeLong <owen@delong.com> wrote:

>
> On Thu, 19 Oct 2023 at 11:46, Owen DeLong via NANOG <nanog@nanog.org>
> wrote:
>
>> A question for network operators out there that implement ROV…
>>
>> Is anyone rejecting RPKI unknown routes at this time?
>>
>> I know that it’s popular to reject RPKI invalid (a ROA exists, but
>> doesn’t match the route), but I’m wondering if anyone is currently or has
>> any plans to start rejecting routes which don’t have a matching ROA at all?
>
>
>
> This would be a bad idea and cause needless fragility in the network
> without any upsides.
>
>
> I’m not intending to advocate it, I’m asking if anyone is currently doing
> it.
>


I’m not aware of anyone doing this, and have not heard operators express
interest in doing this (probably because it seems such an unpleasant
concept).

Somewhat related:

I do know of operators that require a ROA (if it’s non-legacy space) during
their customer onboarding process, for example, in BOYIP for DIA cases.

But those operators do not expect the ROA to continually exist after the
provisioning has been completed successfully. Making the continued
availability of a route dependent on the continued validity of a ROA is
where friction starts to form.

Kind regards,

Job

>

A quick check to my routing table suggests that I have 206700
preferred routes (v4/v6) to notfound (unknown) destinations. So yeah I
don't think anyone can afford to do this right now.

Regards,

Aftab A. Siddiqui


On Fri, 20 Oct 2023 at 05:49, Owen DeLong via NANOG <nanog@nanog.org> wrote:

> A question for network operators out there that implement ROV…
>
> Is anyone rejecting RPKI unknown routes at this time?
>
> I know that it’s popular to reject RPKI invalid (a ROA exists, but doesn’t
> match the route), but I’m wondering if anyone is currently or has any
> plans to start rejecting routes which don’t have a matching ROA at all?
>
> Thanks,
>
> Owen
>
>

On Thu, 19 Oct 2023 at 12:12, Aftab Siddiqui <aftab.siddiqui@gmail.com>
wrote:

> A quick check to my routing table suggests that I have 206700
> preferred routes (v4/v6) to notfound (unknown) destinations. So yeah I
> don't think anyone can afford to do this right now.
>


I don’t think anyone can afford to ever do this, regardless of the number
of unknown destinations!

Imagine not being able to reach North American destinations for 23 hours
because of a cryptographic signing issue at the RIR [0] causing all ROAs to
blip out of existence.

Kind regards,

Job

[0]
https://www.arin.net/announcements/20200826/

I ask because there was discussion at the ARIN meeting and Kevin Blumburg made the suggestion that “in 2024, routes will not be accepted without ROAs”.

I didn’t think this was likely, but as someone with resources for which I cannot create ROAs, it is a concern. So far, I haven’t really seen a significant benefit to going to the trouble of creating ROAs, but I also don’t want to suddenly find myself offline because I didn’t, so I figured it was a good idea to get a sense of the community on this.

Thanks to those that replied.

Owen


> On Oct 19, 2023, at 12:17, Job Snijders <job@fastly.com> wrote:
>
> On Thu, 19 Oct 2023 at 12:12, Aftab Siddiqui <aftab.siddiqui@gmail.com <mailto:aftab.siddiqui@gmail.com>> wrote:
>> A quick check to my routing table suggests that I have 206700 preferred routes (v4/v6) to notfound (unknown) destinations. So yeah I don't think anyone can afford to do this right now.
>
>
> I don’t think anyone can afford to ever do this, regardless of the number of unknown destinations!
>
> Imagine not being able to reach North American destinations for 23 hours because of a cryptographic signing issue at the RIR [0] causing all ROAs to blip out of existence.
>
> Kind regards,
>
> Job
>
> [0]
> https://www.arin.net/announcements/20200826/

On Thu, 19 Oct 2023 at 1:37 pm, Owen DeLong <owen@delong.com> wrote:

> I ask because there was discussion at the ARIN meeting and Kevin Blumburg
> made the suggestion that “in 2024, routes will not be accepted without
> ROAs”.
>

As someone who was there, that’s misrepresentation of what Kevin said. Im
sure he can jump in and share his detailed point of view, but his point
was many operators and cloud providers are already demanding to have a
valid ROA to peer or use their services and that most likely become a
requirement moving forward.

For legacy resource holders it is a problem but then it’s a bureaucratic
issue rather technical and technology has a solution called SLURM.

> For legacy resource holders it is a problem but then it?s a
> bureaucratic issue rather technical and technology has a solution
> called SLURM.

has arin not made it easier, lowering the legal insanity, for legacy
holders to obtain services?

randy

On 19 Oct 2023 at 17:16:21, Randy Bush <randy@psg.com> wrote:

> has arin not made it easier, lowering the legal insanity, for legacy
> holders to obtain services?
>

Yes but they need to jump now if they want to take advantage of it, as I
understand it.

f

>> has arin not made it easier, lowering the legal insanity, for legacy
>> holders to obtain services?
> Yes but they need to jump now if they want to take advantage of it, as
> I understand it.

arin has deep expertise in hurdles

randy

> On 20-Oct-2023, at 00:35, nanog@nanog.org wrote:
>
> On Thu, 19 Oct 2023 at 11:56, Owen DeLong <owen@delong.com <mailto:owen@delong.com>> wrote:
>>>
>>> On Thu, 19 Oct 2023 at 11:46, Owen DeLong via NANOG <nanog@nanog.org <mailto:nanog@nanog.org>> wrote:
>>>> A question for network operators out there that implement ROV…
>>>>
>>>> Is anyone rejecting RPKI unknown routes at this time?
>>>>
>>>> I know that it’s popular to reject RPKI invalid (a ROA exists, but doesn’t match the route), but I’m wondering if anyone is currently or has any plans to start rejecting routes which don’t have a matching ROA at all?
>>>
>>>
>>> This would be a bad idea and cause needless fragility in the network without any upsides.
>>
>> I’m not intending to advocate it, I’m asking if anyone is currently doing it.
>
>
> I’m not aware of anyone doing this, and have not heard operators express interest in doing this (probably because it seems such an unpleasant concept).
>
> Somewhat related:
>
> I do know of operators that require a ROA (if it’s non-legacy space) during their customer onboarding process, for example, in BOYIP for DIA cases.

In my region also, ISPs are asking valid ROAs before on-boarding users.

>
> But those operators do not expect the ROA to continually exist after the provisioning has been completed successfully. Making the continued availability of a route dependent on the continued validity of a ROA is where friction starts to form.
>
> Kind regards,
>
> Job

Thus spake Randy Bush (randy@psg.com) on Thu, Oct 19, 2023 at 03:16:21PM -0700:
> > For legacy resource holders it is a problem but then it’s a
> > bureaucratic issue rather technical and technology has a solution
> > called SLURM.
>
> has arin not made it easier, lowering the legal insanity, for legacy
> holders to obtain services?

Yes, and the process is pretty straightforward now even for public
entities.

We (AS293) recently updated our RSA and LRSA to the latest language
and also are cleaning up some ~40yrs of not-quite-accurate-enough
record keeping between multiple govt entities. If "we" can do it,
"you" can do it (probably a heck of a lot easier) ;-)

Dale