This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] [routing-wg] An arrest in Russia
- Previous message (by thread): [anti-abuse-wg] [routing-wg] An arrest in Russia
- Next message (by thread): [anti-abuse-wg] [routing-wg] An arrest in Russia
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Job Snijders
job at ntt.net
Fri Jan 3 22:54:29 CET 2020
On Fri, Jan 03, 2020 at 01:40:41PM -0800, Ronald F. Guilmette wrote: > In message <20200103165918.GL72330 at Space.Net>, Gert Doering <gert at space.net> wrote: > >On Fri, Jan 03, 2020 at 04:14:07PM +0000, Suresh Ramasubramanian wrote: > >> So the RIR has absolutely no role in maintaining say IRR data? I > >> agree validating LOAs and such for routing changes would be on > >> providers. Though if the changes were to be made in IRR data who > >> would validate it? > > >IRR data is authenticated by registry data in RIPE land, if the > >resource holder chooses so. Short story. > > > > So, nobody can create routes for, say, my address space unless I > > authorize that. > > Yes. Nowadays, the RIPE IRR is better in this respect than any other > IRR that I am aware of. I'd like to offer some additional datapoints, in this context I consider an IRR (either by a RIR or NIR) 'validated' if "route:" objects can only be created with the consent of the then-current resource holder. Current RIRs: * All RPKI ROAs (under all of the five RIRs) are validated * RIPE NCC's "RIPE" IRR source is validated (but "RIPE-NONAUTH" is not). * APNIC's IRR source "APNIC" is 100% validated * AFRINIC's IRR source "AFRINIC" is 100% validated Current NIRs: * NIC.BR's "whois" registry (which contains routing data) is validated * JPNIC (who manage 'JPIRR') validates all route objects on a regular interval There are more NIRs, but not all of them have IRRs, or in some cases the IRR function has been outsourced back to the RIR. Near Future: * LACNIC is working on a "RPKI to IRR" bridge, which will bring a new RIR managed IRR source to the ecosystem, but it will be 100% validated since it is based on RPKI. * ARIN is working on a validated IRR, I myself am involved in this project to help achieve the best possible outcomes. So in short: the RIPE IRR is very good. There are more IRRs like it already today. And the remaining RIR IRRs are moving to a more secure service execution model. > Don't even get me started about RADB! They don't check anything, and > there are stale entires in there from 10+ years go for routes to > bogons. As far as I can tell, there is zero quality control and zero > maintenance, the result being that it has become one big playground > for routing crooks. As mentioned before, third party IRRs - through the IRRd 4 project - are working to address such shortcomings. Ronald as expressed some concern with the pace at which these projects are moving along, but I'm not sure things can be sped up - and I personally appreciate the positive direction in which things seem to be developing. Kind regards, Job
- Previous message (by thread): [anti-abuse-wg] [routing-wg] An arrest in Russia
- Next message (by thread): [anti-abuse-wg] [routing-wg] An arrest in Russia
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]