There are in fact five anchors. I am not sure ARIN would be able to stop
anyone holding RIPE space provided the resource holder uses RIPE RPKI
anchor for publishing his ROAs.
Regards,
Baldur
On 21.04.2020 08.51, Matt Corallo via NANOG wrote:
I find it fascinating that in this entire thread about the nature of RPKI the
shift in the role of the RIR hasn’t come up.
Instead of RIRs coordinating address space use by keeping a public list which
is (or should be) checked when a new peering session is added, RPKI shifts RIRs
into the hot path of routing updates. Next time the US government decides some
bad, bad, very bad country should be cut off from the world with viral
sanctions, there’s a new tool available - by simply editing a database, every
border router in the world will refuse to talk to $EVIL.
By no means am I suggesting we should stop the RPKI train (and AS397444 happily
drops invalids and has ROAs for all prefixes), but there’s a very cost here
that doesn’t appear to have gotten much love, let alone mitigation effort. In
the context of RIPE having to ask for permission to keep receiving payments
from several Iranian LIRs, this isn’t completely inconceivable.
By way of an example, something like a waiting period for RIRs to add new ROAs
replacing removed ROAs (which would imply some kind of signed replacement, but
you get the point). At least ARIN already has a several-month quieting period
after yanking resources for non-payment, why not use that to give operators
time to think about whether they mind talking to Iran?
/ducks
Matt
On Apr 20, 2020, at 08:10, Andrey Kostin <[email protected]> wrote:
Hi Nanog list,
Would be interesting to hear your opinion on this:
https://isbgpsafeyet.com/
We have cases when residential customers ask support "why is your service isn't
safe?" pointing to that article. It's difficult to answer correctly considering that
the asking person usually doesn't know what BGP is and what it's used for, save for
understanding it's function, design and possible misuses.
IMO, on one hand it promotes and is aimed to push RPKI deployment, on the other
hand is this a proper way for it? How ethical is to claim other market players
unsafe, considering that scope of possible impact of not implementing it has
completely different scale for a small stub network and big transit provider?
Kind regards,
Andrey
