This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/routing-wg@ripe.net/
[routing-wg] RPKI Route Origin Validation and AS3333
- Previous message (by thread): [routing-wg] RPKI Route Origin Validation and AS3333
- Next message (by thread): [routing-wg] RPKI Route Origin Validation and AS3333
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Leo Vegoda
leo at vegoda.org
Fri Mar 19 14:37:15 CET 2021
Hi Nathalie, On Fri, Mar 19, 2021 at 4:24 AM Nathalie Trenaman <nathalie at ripe.net> wrote: [...] > > If the goal is to do this in a customer friendly way, perhaps consider > > creating a website at something like: https://brokenrpki.ripe.net, on > > a network that does not validate RPKI, so that users can be provided > > with any analytical tools or step-by-step guides thought necessary. > > First of all, thanks for the warm support for ROV on AS3333. I’m reading all mails and the discussion with great interest. > Now, here Leo brings up a tricky point. If we would create such a website, outside of our network, be would basically tell that other party to never-ever do ROV themselves. > I don’t think that we can (or should) demand that from another network. > Also, other operational “back doors” are not a good idea, as we try to equally protect the registry and the routing table. This will have consequences. Operators who “locked themselves out” should use another network to reach the LIR Portal. I might not have been clear. Sorry. My intention was not for the RIPE NCC to create a full-service LIR Portal on a network that doesn't use RPKI. Instead, I was trying to suggest creating something like the many DNSSEC validation checking websites that help you understand where things have gone wrong. Being able to provide this analysis to someone who has tripped over will allow you to provide them with authoritative advice on the paths they could take to fix things. > Apart from a big warning in the LIR Portal if they are about to do something that can lock them out (as Gert mentioned) , there isn’t much we can do. And from what I read here, there isn’t much more we should do. This is definitely a good idea. Kind regards, Leo
- Previous message (by thread): [routing-wg] RPKI Route Origin Validation and AS3333
- Next message (by thread): [routing-wg] RPKI Route Origin Validation and AS3333
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]