Re: Acceptance of RPKI unknown in ROV

2023-10-20 Thread Dale W. Carder 
Thus spake Randy Bush (ra...@psg.com) on Thu, Oct 19, 2023 at 03:16:21PM -0700:
> > For legacy resource holders it is a problem but then it’s a
> > bureaucratic issue rather technical and technology has a solution
> > called SLURM.
> 
> has arin not made it easier, lowering the legal insanity, for legacy
> holders to obtain services?

Yes, and the process is pretty straightforward now even for public 
entities.

We (AS293) recently updated our RSA and LRSA to the latest language
and also are cleaning up some ~40yrs of not-quite-accurate-enough 
record keeping between multiple govt entities.  If "we" can do it,
"you" can do it (probably a heck of a lot easier) ;-)

Dale

Re: Acceptance of RPKI unknown in ROV

2023-10-19 Thread Gaurav Kansal via NANOG 


> On 20-Oct-2023, at 00:35, nanog@nanog.org wrote:
> 
> On Thu, 19 Oct 2023 at 11:56, Owen DeLong  > wrote:
>>> 
>>> On Thu, 19 Oct 2023 at 11:46, Owen DeLong via NANOG >> > wrote:
 A question for network operators out there that implement ROV…
 
 Is anyone rejecting RPKI unknown routes at this time?
 
 I know that it’s popular to reject RPKI invalid (a ROA exists, but doesn’t 
 match the route), but I’m wondering if anyone  is currently or has any 
 plans to start rejecting routes which don’t have a matching ROA at all?
>>> 
>>> 
>>> This would be a bad idea and cause needless fragility in the network 
>>> without any upsides.
>> 
>> I’m not intending to advocate it, I’m asking if anyone is currently doing it.
> 
> 
> I’m not aware of anyone doing this, and have not heard operators express 
> interest in doing this (probably because it seems such an unpleasant concept).
> 
> Somewhat related:
> 
> I do know of operators that require a ROA (if it’s non-legacy space) during 
> their customer onboarding process, for example, in BOYIP for DIA cases.

In my region also, ISPs are asking valid ROAs before on-boarding users. 

> 
> But those operators do not expect the ROA to continually exist after the 
> provisioning has been completed successfully. Making the continued 
> availability of a route dependent on the continued validity of a ROA is where 
> friction starts to form.
> 
> Kind regards,
> 
> Job

Re: Acceptance of RPKI unknown in ROV

2023-10-19 Thread Randy Bush 
>> has arin not made it easier, lowering the legal insanity, for legacy
>> holders to obtain services?
> Yes but they need to jump now if they want to take advantage of it, as
> I understand it.

arin has deep expertise in hurdles

randy

Re: Acceptance of RPKI unknown in ROV

2023-10-19 Thread Fearghas Mckay 
 On 19 Oct 2023 at 17:16:21, Randy Bush  wrote:

> has arin not made it easier, lowering the legal insanity, for legacy
> holders to obtain services?
>

Yes but they need to jump now if they want to take advantage of it, as I
understand it.

f

Re: Acceptance of RPKI unknown in ROV

2023-10-19 Thread Randy Bush 
> For legacy resource holders it is a problem but then it’s a
> bureaucratic issue rather technical and technology has a solution
> called SLURM.

has arin not made it easier, lowering the legal insanity, for legacy
holders to obtain services?

randy

Re: Acceptance of RPKI unknown in ROV

2023-10-19 Thread Aftab Siddiqui 
On Thu, 19 Oct 2023 at 1:37 pm, Owen DeLong  wrote:

> I ask because there was discussion at the ARIN meeting and Kevin Blumburg
> made the suggestion that “in 2024, routes will not be accepted without
> ROAs”.
>

As someone who was there, that’s misrepresentation of what Kevin said. Im
sure  he can jump in and share his detailed point of view, but his point
was many operators and cloud providers are already demanding to have a
valid ROA to peer or use their services and that most likely become a
requirement moving forward.

For legacy resource holders it is a problem but then it’s a bureaucratic
issue rather technical and technology has a solution called SLURM.

Re: Acceptance of RPKI unknown in ROV

2023-10-19 Thread Owen DeLong via NANOG 
I ask because there was discussion at the ARIN meeting and Kevin Blumburg made 
the suggestion that “in 2024, routes will not be accepted without ROAs”.

I didn’t think this was likely, but as someone with resources for which I 
cannot create ROAs, it is a concern. So far, I haven’t really seen a 
significant benefit to going to the trouble of creating ROAs, but I also don’t 
want to suddenly find myself offline because I didn’t, so I figured it was a 
good idea to get a sense of the community on this.

Thanks to those that replied.

Owen


> On Oct 19, 2023, at 12:17, Job Snijders  wrote:
> 
> On Thu, 19 Oct 2023 at 12:12, Aftab Siddiqui  > wrote:
>> A quick check to my routing table suggests that I have 206700 preferred 
>> routes (v4/v6) to notfound (unknown) destinations. So yeah I don't think 
>> anyone can afford to do this right now.
> 
> 
> I don’t think anyone can afford to ever do this, regardless of the number of 
> unknown destinations!
> 
> Imagine not being able to reach North American destinations for 23 hours 
> because of a cryptographic signing issue at the RIR [0] causing all ROAs to 
> blip out of existence.
> 
> Kind regards,
> 
> Job
> 
> [0] 
> https://www.arin.net/announcements/20200826/

Re: Acceptance of RPKI unknown in ROV

2023-10-19 Thread Job Snijders via NANOG 
On Thu, 19 Oct 2023 at 12:12, Aftab Siddiqui 
wrote:

> A quick check to my routing table suggests that I have 206700
> preferred routes (v4/v6) to notfound (unknown) destinations. So yeah I
> don't think anyone can afford to do this right now.
>


I don’t think anyone can afford to ever do this, regardless of the number
of unknown destinations!

Imagine not being able to reach North American destinations for 23 hours
because of a cryptographic signing issue at the RIR [0] causing all ROAs to
blip out of existence.

Kind regards,

Job

[0]
https://www.arin.net/announcements/20200826/

Re: Acceptance of RPKI unknown in ROV

2023-10-19 Thread Aftab Siddiqui 
A quick check to my routing table suggests that I have 206700
preferred routes (v4/v6) to notfound (unknown) destinations. So yeah I
don't think anyone can afford to do this right now.

Regards,

Aftab A. Siddiqui


On Fri, 20 Oct 2023 at 05:49, Owen DeLong via NANOG  wrote:

> A question for network operators out there that implement ROV…
>
> Is anyone rejecting RPKI unknown routes at this time?
>
> I know that it’s popular to reject RPKI invalid (a ROA exists, but doesn’t
> match the route), but I’m wondering if anyone  is currently or has any
> plans to start rejecting routes which don’t have a matching ROA at all?
>
> Thanks,
>
> Owen
>
>

Re: Acceptance of RPKI unknown in ROV

2023-10-19 Thread Job Snijders via NANOG 
On Thu, 19 Oct 2023 at 11:56, Owen DeLong  wrote:

>
> On Thu, 19 Oct 2023 at 11:46, Owen DeLong via NANOG 
> wrote:
>
>> A question for network operators out there that implement ROV…
>>
>> Is anyone rejecting RPKI unknown routes at this time?
>>
>> I know that it’s popular to reject RPKI invalid (a ROA exists, but
>> doesn’t match the route), but I’m wondering if anyone  is currently or has
>> any plans to start rejecting routes which don’t have a matching ROA at all?
>
>
>
> This would be a bad idea and cause needless fragility in the network
> without any upsides.
>
>
> I’m not intending to advocate it, I’m asking if anyone is currently doing
> it.
>


I’m not aware of anyone doing this, and have not heard operators express
interest in doing this (probably because it seems such an unpleasant
concept).

Somewhat related:

I do know of operators that require a ROA (if it’s non-legacy space) during
their customer onboarding process, for example, in BOYIP for DIA cases.

But those operators do not expect the ROA to continually exist after the
provisioning has been completed successfully. Making the continued
availability of a route dependent on the continued validity of a ROA is
where friction starts to form.

Kind regards,

Job

>

Re: Acceptance of RPKI unknown in ROV

2023-10-19 Thread Job Snijders via NANOG 
On Thu, 19 Oct 2023 at 11:46, Owen DeLong via NANOG  wrote:

> A question for network operators out there that implement ROV…
>
> Is anyone rejecting RPKI unknown routes at this time?
>
> I know that it’s popular to reject RPKI invalid (a ROA exists, but doesn’t
> match the route), but I’m wondering if anyone  is currently or has any
> plans to start rejecting routes which don’t have a matching ROA at all?



This would be a bad idea and cause needless fragility in the network
without any upsides.

Regards,

Job

Re: Acceptance of RPKI unknown in ROV

2023-10-19 Thread JASON BOTHE via NANOG 
Assuming unknown encompasses no roa at all, im inclined to say most probably 
haven’t because that would break a lot of things because a lot of folks don’t 
have ROAs at all and some don’t seem to even have a plan around implementing 
them. 

J~

> On Oct 19, 2023, at 11:47, Owen DeLong via NANOG  wrote:
> 
> A question for network operators out there that implement ROV…
> 
> Is anyone rejecting RPKI unknown routes at this time?
> 
> I know that it’s popular to reject RPKI invalid (a ROA exists, but doesn’t 
> match the route), but I’m wondering if anyone  is currently or has any plans 
> to start rejecting routes which don’t have a matching ROA at all?
> 
> Thanks,
> 
> Owen
>