<div dir="ltr">hi Rubens,<br><br><div>"RPKI has a know limitation regarding path validation. Origin
validation is the main feature of RPKI, but that address some mostly
unusual cases like the Pakistan/Youtube issue (IGP to EGP
redistribution). Most real life problems occur when people redistribute
BGP to BGP creating paths that cause issues, and that's something
current RPKI can't address. "</div><div><br></div><div>And are you stating that IRR/RPSL can solve path validation? <br></div><div><br></div><div>I believe the discussion here refers to the "ROUTE/ROUTE6" RPSL objects (which are the objects people outside of your ASN care about). For either of these objects, the only mandatory attribute is the "origin". That is why there has been the proposal for many years to convert RPKI/ROA objects to ROUTE/ROUTE6 RPSL objects and that is what Carlos is probably talking about.<br></div><div><br></div>Finally, I believe your data on the impact of RPKI to day-to-day operations is wrong. Sharon Goldberg has studied this topic extensively with real data from global routing tables internal to many SPs during a long period of time and concluded that origin validation can mitigate the large majority of the observed incidents. See some of her research here: <a href="http://www.cs.bu.edu/~goldbe/pub-index.html">http://www.cs.bu.edu/~goldbe/pub-index.html</a><br><div><div><br></div><div><br></div><div>Roque<br></div><span class="gmail-HOEnZb"></span><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jan 12, 2018 at 8:30 PM, Rubens Kuhl <span dir="ltr"><<a href="mailto:rubensk@gmail.com" target="_blank">rubensk@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote"><span class="gmail-">On Fri, Jan 12, 2018 at 5:11 PM, Job Snijders <span dir="ltr"><<a href="mailto:job@ntt.net" target="_blank">job@ntt.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span>On Fri, Jan 12, 2018 at 05:00:04PM -0200, Rubens Kuhl wrote:<br>
> > Por cierto, muchos (prácticamente todos) otros RIRs ya brindan ese<br>
> > servicios a sus miembros y las alternativas disponibles (como RADb)<br>
> > implican un costo anual de aprox US$500 que no todos los ISP pueden<br>
> > pagar (sobre todo los más pequeños).<br>
><br>
> <a href="http://bgp.net.br" rel="noreferrer" target="_blank">bgp.net.br</a> provides IRR services for Brazilian networks for free, as<br>
> does AltDB for networks from everywhere.<br>
<br>
</span>A challenge with databases like ALTDB and RADB is that there is no<br>
verification whether a route object actually was created by the owner of<br>
the IP space, or by some random person. Virtually anyone can create<br>
virtually anything in these databases.<br></blockquote><div><br></div></span><div>That's not the case of <a href="http://bgp.net.br" target="_blank">bgp.net.br</a>, because it is strictly tied to contacts in the Brazilian IP space registry. </div><span class="gmail-"><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Therefor, 'Third party' databases like the above may not be an ideal<br>
substitute for what an RIR could offer its members. RIRs are in a unique<br>
position to couple the 'ownership' of a block to certain actions, this<br>
is what happens in RPKI. APNIC is a good example of this: only the owner<br>
of an IP block (or a designated authorized person) can create route<br>
objects.<br></blockquote><div><br></div></span><div>And as <a href="http://bgp.net.br" target="_blank">bgp.net.br</a> shows, this can be done either by the RIR itself providing IRR services, or by someone else strictly following RIR published data. Both methods work. </div><span class="gmail-"><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
I wonder what real problem is being solved by creating a LACNIC IRR: is<br>
the trouble that some IP carriers cannot query the RPKI (and thus need<br>
that data in IRR format?) - or is the problem that things are done in<br>
IRR that cannot be done in RPKI? More insight into the motivations<br>
behind this request would be helpful.<br>
<div class="gmail-m_-1131026017868711364HOEnZb"><div class="gmail-m_-1131026017868711364h5"><br></div></div></blockquote><div><br></div></span><div>RPKI has a know limitation regarding path validation. Origin validation is the main feature of RPKI, but that address some mostly unusual cases like the Pakistan/Youtube issue (IGP to EGP redistribution). Most real life problems occur when people redistribute BGP to BGP creating paths that cause issues, and that's something current RPKI can't address. </div><span class="gmail-HOEnZb"><font color="#888888"><div><br></div><div><br></div><div>Rubens</div><div><br></div><div><br></div></font></span></div></div></div>
<br>______________________________<wbr>_________________<br>
LACNOG mailing list<br>
<a href="mailto:LACNOG@lacnic.net">LACNOG@lacnic.net</a><br>
<a href="https://mail.lacnic.net/mailman/listinfo/lacnog" rel="noreferrer" target="_blank">https://mail.lacnic.net/<wbr>mailman/listinfo/lacnog</a><br>
Cancelar suscripcion: <a href="https://mail.lacnic.net/mailman/options/lacnog" rel="noreferrer" target="_blank">https://mail.lacnic.net/<wbr>mailman/options/lacnog</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><br><br>At least I did something<br>Don Draper - Mad Men</div>
</div></div></div>