[lacnog] Reaching out to LACNIC members about their RPKI INVALID and unreachable prefixes (will affect their ability to reach Cloudflare)

nusenu nusenu-lists en riseup.net
Jue Sep 20 05:13:00 BRT 2018


Hi Roque,

thanks for your input.

Roque Gagliano:
> my
> prefer path would be to include these sort of reports in the already
> existing inter-domain reporting systems so operator do not need to
> subscribe to "yet another report".

Let me clarify a bit what I'm proposing. I'm not proposing a new 
subscription based service operated by LACNIC (maybe LACNIC offers already RPKI alerting like 
RIPE NCC's RPKI dashboard does, I'm not sure). 

I'm proposing a one time
email from LACNIC to their affected members (~180) to give them a chance to solve the problem before it
significantly impacts them. 
After that - and especially due to the adoption of RPKI by big service providers like Cloudflare, there
will be an immediate feedback loop when new misconfigured ROAs are introduced. 
That immediate feedback (broken ROA created -> reachability impacted) 
that was missing up until now, will keep the number of broken ROAs down as long as operators
care about the reachability of their prefixes (without further LACNIC notifications).

> I know BGPMON does provide RPKI analysis
> but I do not have a view on the rest of th popular tools out there.
> 
> Particularly, it has been under debate for many years if RIR should have
> some sort of "routing police" role and asking members with an official
> communication could generate some noise at the policy layer.

The email for affected members would not be in form of a question,
it would simply be a friendly notification stating that the reachability of their prefixes
suffers from misconfigured ROAs.

> Maybe if you could make sure that all these existing reporting systems do
> include alerts on RPKI invalid announcements.

Even if existing reporting systems do include RPKI alerting, that does not
inform affected operators of their unreachable prefixes unless they actually subscribe to such
a service. 

My assumption is: Every operator would like to know if his prefix
is unreachable - even if they are not aware of the problem and did not subscribe to such
alerting systems. Operators that subscribed to such alerting systems are unlikely on the 
list of affected operators.

So if the options are (there are more than a and b in reality):

a) no notification is send and operators run into a hard-fail scenario while route origin validation is
increasingly deployed (i.e. Cloudflare)

b) LACNIC informs their affected members and gives them a (better) chance to solve the problem
before it significantly impacts them

then I prefer (b) over (a).


kind regards,
nusenu


-- 
https://twitter.com/nusenu_

------------ próxima parte ------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://mail.lacnic.net/pipermail/lacnog/attachments/20180920/80e46b6f/attachment.sig>


Más información sobre la lista de distribución LACNOG