<div dir="auto">Douglas, I am not sure using PeeringDB for this would be the best thing. Although it is a great tool it is mainly for other proposals and although it has pretty good and updated information it will never be as precise as Whois data from RIRs.<div dir="auto"><br></div><div dir="auto">Best thing as you mentioned is ASNs to filter based on RPKI and of course that will be dependent on IX to sign theie ROA. But we know this will not be very effective for a while.</div><div dir="auto"><br></div><div dir="auto">So getting it from whois seems a better middle term solution even knowing it means a little more work than using PeeringDB.</div><div dir="auto"><br></div><div dir="auto">Fernando</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 13 Jan 2020, 18:16 Douglas Fischer, <<a href="mailto:fischerdouglas@gmail.com">fischerdouglas@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-family:courier new,monospace;font-size:small">I was delirious and a little extrapolating the idea on how to develop this automation, and I had a crazier idea yet...<br><br>Someone who could be considered as representative of the IXPs (perhaps PeeringDB himself, or Euro-IX IXPDB ...) feeds some IRR with the IXP LAN prefixes with ASN 0, and an AS-SET for that.<br><br>So anyone using BGPq3 / BGPq4, or IRRPowerTools could easily create this prefix-list and use it for filtering.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Em seg., 13 de jan. de 2020 às 16:43, Douglas Fischer <<a href="mailto:fischerdouglas@gmail.com" target="_blank" rel="noreferrer">fischerdouglas@gmail.com</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-family:courier new,monospace;font-size:small">Just to put it in context, I will report the motivation of this idea</div><div class="gmail_default" style="font-family:courier new,monospace;font-size:small"></div><div class="gmail_default" style="font-family:courier new,monospace;font-size:small">--------------------------------------------------------------------</div><div class="gmail_default" style="font-family:courier new,monospace;font-size:small"><br></div><div class="gmail_default" style="font-family:courier new,monospace;font-size:small">On 08 / Jan / 2020 <a href="http://IX.BR" target="_blank" rel="noreferrer">IX.BR</a> started to change the netmask in São Paulo IX. <a href="http://187.16.216.0/21" target="_blank" rel="noreferrer">187.16.216.0/21</a> -> <a href="http://187.16.208.0/20" target="_blank" rel="noreferrer">187.16.208.0/20</a><br><br>Everything should have gone well...<br>But we had some classmates who hadn't done their homework well and were leaking the IX LAN prefix for their Downstreams and Upstreams as if they were their own networks. (And to make matters worse, there were very large people who were accepting this prefix.)</div><div class="gmail_default" style="font-family:courier new,monospace;font-size:small"><span lang="en"><br></span></div><div class="gmail_default" style="font-family:courier new,monospace;font-size:small"><span lang="en">While everyone was on the same netmask, the directly connected network metric was better than the BGP-learned network metric, and that didn't hurt.</span><br>But as some participants who were receiving this / 21 prefix from their UPstreams changed their netmask to / 20, the more specific prefix has won in FIB, and those participants lost connectivity to Lan IX.<br><br>We know that the "modern and beautiful" way to prevent this from happening is that there is a ROA with ASN 0 (or the ASN of IX itself) and this filtering happens through RPKI.<br><br>The <a href="http://IX.BR" target="_blank" rel="noreferrer">IX.BR</a> team reported that this is already being discussed and should be forwarding it soon.<br></div><div class="gmail_default" style="font-family:courier new,monospace;font-size:small"><br></div><div class="gmail_default" style="font-family:courier new,monospace;font-size:small">But I must remember that Registro.BR started supporting RPKI in late 2019, so it is fully acceptable that this definition of ROA is still adjusting there.<br>PS: Congratulations to Registro.BR staff for implementing RPKI almost uneventfully and with EXCELLENT response time and quality for the minimum problems that have arisen.<br></div><div class="gmail_default" style="font-family:courier new,monospace;font-size:small"><br></div><div class="gmail_default" style="font-family:courier new,monospace;font-size:small"><br>Speaking of the Idea itself<br>---------------------------<br>Getting back to the "Accept or Not IX LAN Prefixes Worldwide" question.<br>- As there are still IXes that do not have the LAN prefix ROAs properly published.<br>- Since there are still many ASNs that do not validate RPKI<br>- Considering thar PeeringDB database is very consistent<br>I thought of creating a (cyclic) mechanism that takes LAN address information from PeeringDB IX informations and creates two prefix lists (v4 and v6).<br>And then use this prefix-list to discard these prefixes when coming from Upstreams.<br></div><div class="gmail_default" style="font-family:courier new,monospace;font-size:small"><br>A friend even helped me and set up the query in the PeeringDB API for this.<br><br>The question<br>------------<br>Does it make sense to automate this filtering mechanism?</div><br>-- <br><div dir="ltr"><font size="2"><span style="font-family:courier new,monospace">Douglas Fernando Fischer</span><br style="font-family:courier new,monospace"><span style="font-family:courier new,monospace">Engº de Controle e Automação</span></font><div style="padding:0px;margin-left:0px;margin-top:0px;overflow:hidden;color:black;text-align:left;line-height:130%;font-family:courier new,monospace"></div></div></div>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr"><font size="2"><span style="font-family:courier new,monospace">Douglas Fernando Fischer</span><br style="font-family:courier new,monospace"><span style="font-family:courier new,monospace">Engº de Controle e Automação</span></font><div style="padding:0px;margin-left:0px;margin-top:0px;overflow:hidden;color:black;text-align:left;line-height:130%;font-family:courier new,monospace"></div></div>
_______________________________________________<br>
LACNOG mailing list<br>
<a href="mailto:LACNOG@lacnic.net" target="_blank" rel="noreferrer">LACNOG@lacnic.net</a><br>
<a href="https://mail.lacnic.net/mailman/listinfo/lacnog" rel="noreferrer noreferrer" target="_blank">https://mail.lacnic.net/mailman/listinfo/lacnog</a><br>
Cancelar suscripcion: <a href="https://mail.lacnic.net/mailman/options/lacnog" rel="noreferrer noreferrer" target="_blank">https://mail.lacnic.net/mailman/options/lacnog</a><br>
</blockquote></div>