[lacnog] Hijack de prefixo em IRR
job en ntt.net
Sab Sep 14 12:05:19 -03 2019
On Fri, Sep 13, 2019 at 05:57:06PM -0300, Douglas Fischer wrote:
> Our analysis was focused just in Brazilian prefixes mostly because
> those are "familiar to me and my friend. But also because that
> database of 'ASN vs Prefixes' is very tight.
Right, but the problem also exists globally. You have (re)discovered a
problem that is widely recognised.
> I believe that if there was a tool (if it doesn't already exist) that
> could get the list of "ASNs vs Prefixes" delegations for each of the
> RIR/NIR/LIR, and put it together in a consultable way, It could be
> used as a substantial information to indicate, not afraid to say
> something unfair, that "those" entries are wrong.
Yes, this tool already exists. It is called "RPKI" - I am not joking. I
hope the Brazilian community soon gets access to it, because this is
where everyone is heading.
> And it could be used for example as a PUBLIC SHAME LIST.
> - Shame on Mantainers, that are creating wrong entries.
> - Shame on Owner of the Resources, that are not doing their preventive work.
> - And, MOSTLY, Shame on IRRs bases, that are accepting anything.
> (OK, this is not very "politically correct", but it is the best we
> have. And it works! At least with good persons who doesn't like to be
> seen as a fat finger.)
Why are you shaming me Douglas? I work for an IRR, it is my job to help
maintain the NTTCOM database. We have recognised the flaw and concluded
that the solution is to let RPKI data supersede IRR data (when there is
a conflict). We are investing significant money to resolve the issue we
(as IRRs) are part of. What more do you want me to do?
I already shared with this list what real actions we are taking, what is
already happening in other regions to help reduce this problem. If the
follow up is "well, i'm going to ignore your solution and still want to
shame you"... I am not sure how productive that is :-)
> Well... If Two basic rules would be implemented by RADB and all the others
We are going to follow slightly different heuristics, because those are
more widely deployable.
What seems to be the essence of the problem here is that operators in
Brazil don't have access to RPKI services yet. I think almost everything
you highlight will be much easier and simpler to deal with once BR
operators can publish RPKI ROAs for BR prefixes...
Más información sobre la lista de distribución LACNOG