[lacnog] Bogon route objects in the LACNIC IRR

Job Snijders job en sobornost.net
Mie Ago 18 07:53:38 -03 2021


On Wed, Aug 18, 2021 at 12:17:17AM -0700, Ronald F. Guilmette wrote:
> The twenty route objects that I identified and listed here are provably
> bogus.

The very same capability that permits this handful of CAs to
'misconfigure' their RPKI ROAs (keep in mind their ability to shoot
themselves in the foot is restricted merely to their own IP space!), is
also what enables the other 2,940 Certificate Authorities to provide
authorization to service ISPs both inside and outside the LACNIC region,
Legacy ASN or not, past and future.

Whether or not a given ASId is 'bogus' is subjective. For example some
IXP operators create ROAs which reference non-existent ASNs as an
effective method to hamper propagation of their IX Peering LAN prefixes
(or any more-specifics) through the Default-Free Zone.

> In short there exists *no* technical impediment which would prevent any
> RIR from fully checking *any* proposed new route *before* it is either
> accepted as part of the RPKI system

But technical impediments do exist. You are not considering (or
appreciating) how the RPKI is a distributed database of delegations.

Similar to how via LACNIC's Reverse DNS service it is possible to
sub-delegate a zone to nameservers which are (currently/partially)
unreachable, or for zone operator to input RFC 1918 IP space as the
contents of an "A" records ...  is it possible (and an unavoidable
necessity) for RPKI operators to issue ROAs with arbitrary ASIds.

The alternative is extreme consolidation: fully centralized management
and operation of the RPKI service and the Reverse DNS service. Complete
centralization is the only way to enforce arbitrary rules about what
values the ASId field (or Reverse DNS 'A' records) can contain.

Indeed, the above should require the community to go through the policy
development process. It would be a sad day if this community decides to
turn back the clock by deprecating the Delegated RPKI functionality and
imposing draconian restrictions on the ASId field, for no obvious
benefit.

At the moment 35% of LACNIC space is covered by RPKI ROAs, the LACNIC
RPKI infrastructure pre-dates the IRR service. The IRR service merely is
a conduit towards legacy systems, nobody is forcing anyone to use it.

It seems to me you are trying very hard to create the impression you
found a big problem (it's not) and we should be thankful you are
'solving' it (you aren't). I think there is nothing to see here. I would
rather direct all this energy towards writing code improvements for RPKI
& BGP software, or teaching people how to deploy RPKI-based BGP Origin
Validation inside their network.

Regards,

Job

ps. Your strawman arguments and rudeness are not appreciated and make
you appear immature. You would garner more respect if you demonstrated
hands-on experience with the issuance and validation of RPKI objects, or
the application of RPKI data towards the BGP plane.


Más información sobre la lista de distribución LACNOG