[routing-wg] RPKI Route Origin Validation and AS3333

Hi all,


> Op 18 mrt. 2021, om 17:01 heeft Leo Vegoda <leo at vegoda.org> het volgende geschreven:
> 
> Hi,
> 
> On Thu, Mar 18, 2021 at 8:03 AM Nathalie Trenaman <nathalie at ripe.net> wrote:
> 
> [...]
> 
>> What is the Problem?
>> Currently, some of our upstream providers already perform ROV. This means that some of our members that potentially misconfigured their ROA or members who have lost control of creation and modification of their ROAs cannot reach our services via those peers.
> 
> [...]
> 
>> From an analysis we made on 10 February, there were 511 of such announcements from our members and End Users.
> 
> If the goal is to do this in a customer friendly way, perhaps consider
> creating a website at something like: https://brokenrpki.ripe.net, on
> a network that does not validate RPKI, so that users can be provided
> with any analytical tools or step-by-step guides thought necessary.

First of all, thanks for the warm support for ROV on AS3333. I’m reading all mails and the discussion with great interest. 
Now, here Leo brings up a tricky point. If we would create such a website, outside of our network, be would basically tell that other party to never-ever do ROV themselves. 
I don’t think that we can (or should) demand that from another network. 
Also, other operational “back doors” are not a good idea, as we try to equally protect the registry and the routing table. This will have consequences. Operators who “locked themselves out” should use another network to reach the LIR Portal. 

Apart from a big warning in the LIR Portal if they are about to do something that can lock them out (as Gert mentioned) , there isn’t much we can do. And from what I read here, there isn’t much more we should do. 

Kind regards,
Nathalie Trenaman
RIPE NCC