[lacnog] Propuesta para crear un IRR en LAC mantenido por LACNIC / Proposal to create an IRR in LAC maintained by LACNIC

Sab Ene 13 20:11:00 BRST 2018

hi Rubens,

"RPKI has a know limitation regarding path validation. Origin validation is
the main feature of RPKI, but that address some mostly unusual cases like
the Pakistan/Youtube issue (IGP to EGP redistribution). Most real life
problems occur when people redistribute BGP to BGP creating paths that
cause issues, and that's something current RPKI can't address. "

And are you stating that IRR/RPSL can solve path validation?

I believe the discussion here refers to the "ROUTE/ROUTE6" RPSL objects
(which are the objects people outside of your ASN care about). For either
of these objects, the only mandatory attribute is the "origin". That is why
there has been the proposal for many years to convert RPKI/ROA objects to
ROUTE/ROUTE6 RPSL objects and that is what Carlos is probably talking about.

Finally, I believe your data on the impact of RPKI to day-to-day operations
is wrong. Sharon Goldberg has studied this topic extensively with real data
from global routing tables internal to many SPs during a long period of
time and concluded that origin validation can mitigate the large majority
of the observed incidents. See some of her research here:
http://www.cs.bu.edu/~goldbe/pub-index.html

Roque

On Fri, Jan 12, 2018 at 8:30 PM, Rubens Kuhl <rubensk en gmail.com> wrote:

>
>
> On Fri, Jan 12, 2018 at 5:11 PM, Job Snijders <job en ntt.net> wrote:
>
>> On Fri, Jan 12, 2018 at 05:00:04PM -0200, Rubens Kuhl wrote:
>> > > Por cierto, muchos (prácticamente todos) otros RIRs ya brindan ese
>> > > servicios a sus miembros y las alternativas disponibles (como RADb)
>> > > implican un costo anual de aprox US$500 que no todos los ISP pueden
>> > > pagar (sobre todo los más pequeños).
>> >
>> > bgp.net.br provides IRR services for Brazilian networks for free, as
>> > does AltDB for networks from everywhere.
>>
>> A challenge with databases like ALTDB and RADB is that there is no
>> verification whether a route object actually was created by the owner of
>> the IP space, or by some random person. Virtually anyone can create
>> virtually anything in these databases.
>>
>
> That's not the case of bgp.net.br, because it is strictly tied to
> contacts in the Brazilian IP space registry.
>
>
>> Therefor, 'Third party' databases like the above may not be an ideal
>> substitute for what an RIR could offer its members. RIRs are in a unique
>> position to couple the 'ownership' of a block to certain actions, this
>> is what happens in RPKI. APNIC is a good example of this: only the owner
>> of an IP block (or a designated authorized person) can create route
>> objects.
>>
>
> And as bgp.net.br shows, this can be done either by the RIR itself
> providing IRR services, or by someone else strictly following RIR published
> data. Both methods work.
>
>
>>
>> I wonder what real problem is being solved by creating a LACNIC IRR: is
>> the trouble that some IP carriers cannot query the RPKI (and thus need
>> that data in IRR format?) - or is the problem that things are done in
>> IRR that cannot be done in RPKI? More insight into the motivations
>> behind this request would be helpful.
>>
>>
> RPKI has a know limitation regarding path validation. Origin validation is
> the main feature of RPKI, but that address some mostly unusual cases like
> the Pakistan/Youtube issue (IGP to EGP redistribution). Most real life
> problems occur when people redistribute BGP to BGP creating paths that
> cause issues, and that's something current RPKI can't address.
>
>
> Rubens
>
>
>
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog
>
>

-- 

At least I did something
Don Draper - Mad Men
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/lacnog/attachments/20180113/799b4e11/attachment.html>