[lacnog] Propuesta para crear un IRR en LAC mantenido por LACNIC / Proposal to create an IRR in LAC maintained by LACNIC

Rubens Kuhl rubensk en gmail.com
Dom Ene 14 23:39:28 BRST 2018


On Sat, Jan 13, 2018 at 8:11 PM, Roque Gagliano <rgaglian en gmail.com> wrote:

> hi Rubens,
>
> "RPKI has a know limitation regarding path validation. Origin validation
> is the main feature of RPKI, but that address some mostly unusual cases
> like the Pakistan/Youtube issue (IGP to EGP redistribution). Most real life
> problems occur when people redistribute BGP to BGP creating paths that
> cause issues, and that's something current RPKI can't address. "
>
> And are you stating that IRR/RPSL can solve path validation?
>

Yes, it's one solution. There can be others, though... I hope a different,
simpler solution comes along. But so far it's the one available.


>
> I believe the discussion here refers to the "ROUTE/ROUTE6" RPSL objects
> (which are the objects people outside of your ASN care about). For either
> of these objects, the only mandatory attribute is the "origin". That is why
> there has been the proposal for many years to convert RPKI/ROA objects to
> ROUTE/ROUTE6 RPSL objects and that is what Carlos is probably talking about.
>



> Finally, I believe your data on the impact of RPKI to day-to-day
> operations is wrong. Sharon Goldberg has studied this topic extensively
> with real data from global routing tables internal to many SPs during a
> long period of time and concluded that origin validation can mitigate the
> large majority of the observed incidents. See some of her research here:
> http://www.cs.bu.edu/~goldbe/pub-index.html
>
>
>
She probably missed networks in countries with large number of autonomous
systems with IX interconnections like Brazil.  And frankly, even for global
routing most of what happened lately would require path validation.
ISOC/MANRS review of 2017 routing incidents,
https://www.manrs.org/2018/01/14000-incidents-a-2017-routing-security-year-in-review/
, mostly mentions BGP leaks, which require path validation to be mitigated.
Both my personal experience and ISOC's suggest that any data in this area
is in need of refreshing and more distributed data collection.



Rubens
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/lacnog/attachments/20180114/dcd155b0/attachment.html>


Más información sobre la lista de distribución LACNOG