<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Aptos;
panose-1:2 11 0 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:2074616980;
mso-list-template-ids:-655358842;}
@list l0:level1
{mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level3
{mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level4
{mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level5
{mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level6
{mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level7
{mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level8
{mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level9
{mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style>
</head>
<body lang="en-NL" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-fareast-language:EN-US">Hi Arturo,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-fareast-language:EN-US">Great to see you participating in this discussion, thank’s a lot for your feedback.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-fareast-language:EN-US">To the best of my knowledge, EU regulators go for the big fish. Look at the example of the Czech Government who announced their services will be IPv6 only by 2032. Based
on the current IPv6 adoption, the diff between the IPv6 RADB records and the IPv6 RIPE DB records is only 0.65%. Such a move means that the organization not only will benefit from an almost perfect 1-to-1 sync between IRR data and PRKI data but could consider
relying fully on RPKI system and exclude the IRR one. Once this effort becomes successful, will open the appetite for EU regulators to push massively into this direction.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-fareast-language:EN-US">Moreover, your very last sentence can be translated into “Prioritizing convenience over routing security”, which -in my eyes- is very sad. I think you miss the point
that If we help our customers convert all those objects from “ RPKI unknown” to “RPKI valid”, big CDN networks who perform ROV will benefit out of that as well. Thus, I would expect more of a reaction that includes a mentality like “Please help us create a
common API between IRRs to ease operations” rather than “don’t do it all”.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-fareast-language:EN-US">Kind Regards<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-fareast-language:EN-US">Stavros<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div id="mail-editor-reference-message-container">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="color:black">From:
</span></b><span style="color:black">connect-wg <connect-wg-bounces@ripe.net> on behalf of Arturo Servin via connect-wg <connect-wg@ripe.net><br>
<b>Date: </b>Thursday, 6 June 2024 at 13:14<br>
<b>To: </b>Connect-WG <connect-wg@ripe.net><br>
<b>Subject: </b>Re: [connect-wg] BCOP for the use of IRR DBs in IXP RS - Last call<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal">Hi</p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">>But we are trying to solve only one aspect of the problem: by not using<br>
>anymore the unauthenticated IRRs we will have removed a whole class of<br>
>possibile hijackings.</p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">And also you might invalidate a lot of valid objects causing issues for the networks using the RS in the IX.</p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Let me make a few comments.</p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I agree with some of the concerns raised here. IMO I do not think that is a good idea to just ignore some of the IRR databases, instead you could use something similar to what we have proposed on the MANRS for Cloud/CDN providers. I think
it is a good balance to use a variety of IRR DBs:</p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">---></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Standard AS-SET expansion process:</p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:47.25pt;text-indent:-18.0pt;mso-list:l0 level1 lfo2">
<![if !supportLists]><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>If a peer-AS has downstream customer ASNs (customer cone ASNs), they are to be gathered through the “as-set” object. The “as-set” (or AS-SETs) will be picked up from PeeringDB, “IRR as-set/route-set” field. The syntax of the name should
be IRR-NAME::ASX:AS-SET-NAME, where ASX is the ASN of the peer-AS. If no AS-SET is provided, only the ASN of the peer-AS will be used in the following steps.</p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:47.25pt;text-indent:-18.0pt;mso-list:l0 level1 lfo2">
<![if !supportLists]><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>All the IRRs mirrored by RADB will be consulted to collect all “route” objects with the “origin:” field matching the ASNs collected in step 1</p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:47.25pt;text-indent:-18.0pt;mso-list:l0 level1 lfo2">
<![if !supportLists]><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>If the collection of data results in conflicting objects, the following rules apply in the following order until all conflicts are resolved:</p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:47.25pt;text-indent:-18.0pt;mso-list:l0 level1 lfo2">
<![if !supportLists]><span style="mso-list:Ignore">4.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>The primary IRR specified by IRR-NAME has the priority</p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:47.25pt;text-indent:-18.0pt;mso-list:l0 level1 lfo2">
<![if !supportLists]><span style="mso-list:Ignore">5.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>AFRINIC, APNIC, ARIN, LACNIC, RIPE have the priority</p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:47.25pt;text-indent:-18.0pt;mso-list:l0 level1 lfo2">
<![if !supportLists]><span style="mso-list:Ignore">6.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>The most recently updated object has the priority</p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:47.25pt;text-indent:-18.0pt;mso-list:l0 level1 lfo2">
<![if !supportLists]><span style="mso-list:Ignore">7.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>If further tie breaking is needed, could select the object based on lexicographic order of the IRR DB names</p>
</div>
<div>
<p class="MsoNormal">Source: <a href="https://manrs.org/cdn-cloud-providers/actions/" target="_blank">https://manrs.org/cdn-cloud-providers/actions/</a></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">---></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Also, it is true that this is meant to be applied on European IXs, but as Nick mentioned, regulators et al. might take this as the BOCP for everyone (even no IXs.) Believe it or not, this document might have a lot of influential power
and you should be careful on what you propose, because it might have some unintended repercussions.</p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Finally, on a practical note, for organizations that have to maintain a few thousands of IRR objects, doing it manually is not an option, so we need to rely on APIs. The less the better, and the more the same, the better. Unfortunately
not all RIRs support API calls to manage IRRs objects, and for the ones that they do I think they are different. So, it is much easier to use RADB or other single DB.</p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Regards</p>
</div>
<div>
<p class="MsoNormal">as</p>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Thu, Jun 6, 2024 at 11:54<span style="font-family:"Arial",sans-serif"> </span>AM Marco d'Itri <<a href="mailto:md@linux.it">md@linux.it</a>> wrote:</p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<p class="MsoNormal">On Jun 06, "Mullally, Ronan via connect-wg" <<a href="mailto:connect-wg@ripe.net" target="_blank">connect-wg@ripe.net</a>> wrote:<br>
<br>
> But if a bad actor manages to masquerade as somebody else’s ASN, <br>
> either directly or via ‘downstream’ routes then neither of the above <br>
> help. If anything there is a risk that if we blindly consider a route <br>
> that matches a route object / ROA to be beyond doubt we may be less <br>
> able to identify such actions.<br>
Of course, this is obvious.<br>
But we are trying to solve only one aspect of the problem: by not using <br>
anymore the unauthenticated IRRs we will have removed a whole class of <br>
possibile hijackings.<br>
For the others indeed other technologies will be needed.<br>
<br>
-- <br>
ciao,<br>
Marco<br>
_______________________________________________<br>
connect-wg mailing list<br>
<a href="mailto:connect-wg@ripe.net" target="_blank">connect-wg@ripe.net</a><br>
<a href="https://mailman.ripe.net/" target="_blank">https://mailman.ripe.net/</a><br>
<br>
To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit:
<a href="https://mailman.ripe.net/" target="_blank">https://mailman.ripe.net/</a></p>
</blockquote>
</div>
</div>
</div>
</div>
</body>
</html>