This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members)
- Previous message (by thread): [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members)
- Next message (by thread): [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Sander Steffann
sander at steffann.nl
Mon May 20 22:23:56 CEST 2013
Hi Sasha, > However, right now, this will not result in an immediate loss of routing for the prefix(es) concerned. With an rpki implementation where the NCC is the trust root and validation is pretty much automatic, it can and will. As I tried to explain to you in previous replies: it is up to the network operators to decide what they will and will not route. It is definitely not automatic. [REF1]: Routing is decided by network operators. RPKI is a tool they can use, nothing is imposed, the operator remains the authority for his/her own network. > To put it in 2 sentences: > > 1) I don't want a top-down hierarchy imposed on the DFZ, and in its current form this is what rpki certs + ROAs will do. See [REF1] > 2) I don't want the NCC (or the ITU or anyone else, for that matter) to be the singular Routing Authority for the entire service region. See [REF1] >> In random order: >> http://www.ripe.net/lir-services/resource-management/certification/router-configuration >> http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/command/bgp-m1.html#wp3677719851 >> http://lacnic.net/documentos/lacnicxv/rpki/2BGP-Origin-Validation.pdf >> http://m.apnic.net/__data/assets/pdf_file/0008/38258/RPKI_Deployment_LACNIC.pdf >> http://www.juniper.net/techpubs/en_US/junos12.2/topics/topic-map/bgp-origin-as-validation.html#jd0e385 >> >> And from >> http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/xe-3s/irg-origin-as.pdf: >> "You can allow an invalid prefix to be used as the BGP best path, even >> if valid prefixes are available. This is the default behavior." > > OK, I concede it is not, currently, the default practice. It would be pretty insane too, given that verification is barely implemented anywhere and if it is it's probably not in production... > >> I'm not the one claiming "There may not be a default *yet*, but there >> will be". *You* claim to see the future -> *you* provide evidence. > > I didn't claim to see the future, but I still think, once widely deployed, invalid or missing ROAs will be dropped - it would be reasonable, seeing as a (hijacked) longer prefix should still win over a shorter one with better localpref. Easiest way to avoid this is to just drop the invalid one. Again, this depends on what the network operator wants. The operator writes routing policy / route maps / etc. See [REF1]. Cheers, Sander
- Previous message (by thread): [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members)
- Next message (by thread): [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]