[routing-wg] network failed, was re: Notification of RIPE Database changes

On 2013-06-15, at 10:11, Randy Bush <randy at psg.com> wrote:

>> This morning we experienced downtime but we managed to recover within
>> a few hours due to a last minute warning issued to our upstream
>> provider Cybersmart (original message pasted below bottom).
>> 
>> From what I can gather I can hypothesise that our previous upstream
>> provider Frogfoot, had created a route object in your database without
>> our knowledge or authority. Subsequently they relinquished control of
>> this object to their new upstream (AfricaINX in the email below)
>> without our knowledge or authority. And subsequently AfricaINX deleted
>> this object from your database without our authority or knowledge.
>> And finally our new upstream created a route object in your database
>> without our knowledge or authority.
> 
> [ aside from a side rant about rpki certificates ] has anyone at the ncc
> looked into this and can give us a post mortem?  it is a bit scary.

I've noticed over the years that many people use RPSL quite badly.

If I (AS 1000) have a customer (AS 2000) that is announcing 192.0.2.0/24, and I want to propagate that route to my transit providers, there are many transit providers that will insist on seeing a route: object for 192.0.2.0/24 with origin: 1000 and can do nothing with the origin: 2000 that is already there.

There are others whose entire question about RPSL is "what is your as-set?" which in this example could contain both as1000 and as2000 without such nasty route/origin lies.

Nobody seems to have heard of aut-num objects, or if they have, they have no interest in parsing export/import attributes. Which is a shame, since all anybody ought to have to know is your AS number.

The end result, IRR-wide (if I can use "IRR" to mean anything these days) is that there are  endless duplicate route objects with inaccurate origin attributes. After spending a few weeks trying to contact people to have them deleted from one registry, and then noticing that there are eleventy others that all contain variously mirrored or duplicated junk, I think people generally give up. It's all a horrible mess.

If only people had read ripe-181 and descendants before ever trying to talk to auto-dbm, instead of relying upon the same oral tradition that also brought us "DNS over TCP is only for zone transfers" and "ICMP is a security risk and should be blocked everywhere".

Generally (no warranty expressed or implied) the only thing you need to worry about is that the correct objects are present and protected from change by others with an appropriate maintainer. You hope that all other objects referring to the same routes are benign, in the sense that although they would potentially allow a bad thing to happen, at least they don't mess with the good thing that you want to happen.


Joe