[routing-wg] Ensuring RPKI ROAs match your routing intent

Hi Randy, all,

> On 26 Jun 2020, at 16:04, Randy Bush <randy at psg.com> wrote:
> 
>> Krill uses these RIS dumps too for this initial release, but we intend
>> to evolve it over the next releases with something more real-time, as
>> well as letting you plug in a local router feed
> 
> drl considered this but i voted against it.  my local router is already
> too heavily influenced by my local rpki collection and policies.  when i
> contemplate a new roa, i want to see how it might impact anything
> floating around in the global table as seen from as many vantage points
> as possible; hence route views and ris.  of course, that thought was a
> decade plus ago, and ymmv.

I think that for a start RIS and RouteViews are great.

However, as ROV becomes more deployed and your upstreams may start dropping your unintended invalids, those may not show up any more in those views.

So, I think that in future local feeds will become more important. This could be based on automated router config set ups (like IPAM solutions) which can use an API to create the ROAs as needed. Or it could be 'just-in-time' or well.. 'just-too-late' authorisations based on a real local BGP feed even. Indeed YMMV and we are still exploring this.

Note that even then monitoring your own prefixes in the global BGP in relation to your ROAs from other vantage points will still be important. I expect that something like BGP Alerter (or similar) rather than your own RPKI CA will be more suitable for this purpose.

Tim


> 
> randy