[lacnog] El proceso para crear ROAs en todos los RIRs

Mar Sep 23 15:55:24 -03 2025

Reading Carlos's first post reminded me of a presentation[1,2] from the
Cloudflare team at LACNIC 31 about RPKI.
That's why I asked about the difficulties and ease of automation, comparing
hosted and delegated modes.

I remember someone mentioning at that event (perhaps it was hallway chat)
how the RPKI up-down protocol would be a solution for this...

Since then, a lot has changed!
- Many RIRs, NIRs, and LIRs have made moves and started offering better
support for RPKI definitions in their APIs (some still don't support it).
- Delegated mode with up-down has really emerged, and it's grown, and it's
working with both good and bad examples of availability.

Well, after almost 6 years, I think an analysis on this is in order.
The data Job provided is excellent for this. And it would be even more
impressive if academics analyzed this data on CA malfunctions in a graph
over time.
Perhaps comparing it with data from notable events involving routing
failures on the internet.

[1]
https://www.lacnic.net/innovaportal/file/3635/1/lacnic-cloudflares-rpki-validator.pdf
[2] https://youtu.be/bdeZh6kBYkg?t=3729

Em ter., 23 de set. de 2025 às 12:53, Carlos Martinez-Cagnazzo <
carlos en lacnic.net> escreveu:

> Hey,
> On 23/9/25 12:48 PM, Job Snijders wrote:
>
> On Tue, 23 Sep 2025 at 17:41, Carlos Martinez-Cagnazzo <carlos en lacnic.net>
> wrote:
>
>> Thanks Job,
>>
>> I believe there is a sweet spot somewhere. If you run a really large
>> org, I believe operationally it make sense to run your own CA. You may
>> run into things like the need to run transfers, move space from one
>> service to the other and you will feel more at home running something
>> you can deeply integrate with your automation platforms.
>>
>> If you run a small org, you are definitely better off on hosted.
>
>
>
> I disagree with some of what you say, having worked for several large
> orgs, I contend that the RIR-provided APIs work just as fine as poking APIs
> of an internal CA; RIR probably better.
>
> There is a risk-management side of things that we cannot ignore. But I
> disgress.
>
> I think this is one point where we can agree to disagree :-)
>
>
> The observable experience with “a really large org running their own CA”,
> so far has only demonstrated that the large org repeated all the mistakes
> that the RIRs made in the beginning.
>
> “Large” just doesn’t equate “good execution”.
>
> IMO that's a separate discussion. I agree with you, but I believe that
> should be taken care "out of band" if you will. Be it policies, MANRS or
> whatnot.
>
> One thing I believe we would all benefit from is some form of "RPKI
> Etiquette" that of course involves proper running delegated CAs.
>
> Kind regards,
>
> Job
>
> /Carlos
>
>
> _______________________________________________
> LACNOG mailing listLACNOG en lacnic.nethttps://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog
>
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog
>

-- 
Douglas Fernando Fischer
Engº de Controle e Automação
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/lacnog/attachments/20250923/7a53c598/attachment.htm>