Since at its best, all RPKI can provide is a hint at how to properly lie about an announcement (i.e. what you must prepend in order for it to be believed), I remain unconvinced that it provides any actual benefit except, perhaps, to the largest and most well known ASNs as originators.
Owen > On Sep 18, 2022, at 11:38 , Alex Band <[email protected]> wrote: > > > >> On 18 Sep 2022, at 20:17, Owen DeLong via NANOG <[email protected]> wrote: >> >> >> >>> On Sep 15, 2022, at 22:04 , Rubens Kuhl <[email protected]> wrote: >>> >>> On Fri, Sep 16, 2022 at 12:45 PM William Herrin <[email protected]> wrote: >>>> >>>> On Thu, Sep 15, 2022 at 9:09 PM Rubens Kuhl <[email protected]> wrote: >>>>> On Fri, Sep 16, 2022 at 11:55 AM William Herrin <[email protected]> wrote: >>>>>> No, the best option for me right now is that I just don't participate >>>>>> in RPKI and the system has one less participant. And that's a shame. >>>>> >>>>> That's only true in the current environment where RPKI is only used to >>>>> invalidate bogus routes. When any reachability for RPKI-unknowns is >>>>> lost, that will change. >>>> >>>> Hi Rubens, >>>> >>>> If you want to bet me on folks ever deciding to discard RPKI-unknowns >>>> down in the legacy class C's I'll be happy to take your money. >>> >>> I don't think people will look at even the class, and definitively not >>> to legacy or non-legacy partitions. >>> They will either drop it all, or not drop it at all. >>> >>> Note that when the only IP blocks that spammers and abusers can inject >>> in the system are non-signed ones, those blocks will get bad >>> reputations pretty fast. So the legacy holders use case for RPKI might >>> come sooner than you think. >> >> Nah… Because the reputations will still be the individual /24s and while >> lots of /24s around mine have bad reputations, mine doesn’t and never has >> (modulo a couple of administrative errors that were on me and legitimately >> my fault, not actual spammers). >> >>> >>>> Anyway, the risk/reward calculation for NOT signing the LRSA right now >>>> is really a no-brainer. It's just unfortunate that means I won't get >>>> an early start on RPKI. >>> >>> Discarding RPKI-invalids is something you can do right now and that >>> doesn't come with a price tag. Good BCP38 and RPKI-invalid hygiene is >>> the thankless gift you can give to the community. >> >> Yes, but I think that RPKI unknowns are never going to be something that >> can be safely dropped and 90% of RPKI invalids so far seem to be people >> making RPKI mistakes with their legitimate announcements. >> >> The more I look at RPKI, the more it looks like a lot of effort with very >> little >> benefit to the community. > > While I’m sure that most would agree that RPKI offers at least some benefits, > perhaps the problem is the cost/benefit of doing RPKI in the ARIN region > compared to the rest of the world, e.g. ticketed requests to set it up, no > indication of what the effect of your ROA is going to be before you publish, > handling ROA expiry manually, etc. > > In other regions using RPKI is orders of magnitude simpler to set up and > maintain, and a lot less error prone. They provide alerting when your ROA do > not seem to match what is seen in BGP, create matching route: objects, etc. > > To illustrate, here’s a video of the RIPE NCC management UI from 2015 (!): > > https://youtu.be/gLwHp12wOGw <https://youtu.be/gLwHp12wOGw> > > (And no, the nonrepudiation requirement in ARIN is not an excuse) > > -Alex > > >> >> YMMV >> >> Owen
