[routing-wg] New on RIPE Labs: Resource Certification (RPKI) Data Quality and Usage

On 24 Feb 2012, at 11:18, Randy Bush wrote:

> ok, so that was not what one would call a delicate statement of the
> problem. :)
> 
> my apologuies to alex.  he just finished applying the clue by four in
> IM.  of course, there is a serious problem he is trying to address.

Thanks Randy. 

The problem poor RPKI data quality. I realize its not up to the RIR to fix user mistakes, we're just trying to help. The problem could solve itself: if operators would start relying on the RPKI data set and give the invalid announcements a lower pref (or even drop them) then operators who created the bad ROAs would be pressured to fix their mistakes. The concern is that nobody would start using a data set with this quality in the first place.

The implementation that we've done with the hosted RPKI platform was geared towards creating a low entry barrier into the system. Members don't have to worry about any of the crypto aspects, but solely focus on entering data. 

***In the hosted RIPE NCC RPKI system, a certificate and all of its child objects are automatically renewed every year without any user intervention and interaction, for as long as the member is the holder of the related resources.***

It's this aspect that we feel we've taken too far. When using a package like rpkid, the user is more involved and things actually expire if you don't do something periodically.

In short: the proposal is not to *delete* ROAs, it's about stopping fully automated renewals. If folk think that's a good idea, of course we would implement various alerts, well ahead of time, that user attention is required.

Of course we will also put effort in education, and providing a playground for testing.

-Alex
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2355 bytes
Desc: not available
URL: </ripe/mail/archives/routing-wg/attachments/20120224/9dfaf86f/attachment.p7s>