Danny,
On 2013-03-18 10:47, Stephen Kent wrote:

There are at least two issue here: how quickly a new/changed ROA is published
after it is created/modified, and how quickly one should expect all
RPs to have acquired this info. The RPKI propagation model for ROAs was
based on the observation that, typically, the binding between an
address space holder
and the AS originating routes to that space changed very infrequently, and not very fast. Conversations with RIR staff supported this notion, based on IRR DB experience. So, suggesting that this data needs to be propagated in
minutes, vs. 1/2 a day, is quite a change.

No, it's not.
My comment applies to the statement about the frequency with which IRR DB entries, some of which are very analogous to ROAs, change. Your assertion (below) might be that folks who do not rely on these dabatases accept changes in asserted prefix/ASN bindings at the speed of routing updates. I agree with that observaiton, but note that it's also what made the Pakistan Telecom vs. YouTube
incident possible.
The system converges at the speed of routing today, if I have to wait 12 hours to mitigate an attack for someone then that could be a problem. If the RIR's actually conducted any qualitative study to this effect I'd appreciate a reference - I've seen none. However, I can say for certain that there are many companies that need "minutes" of convergence, just like they have today, else they won't be able to perform things like DDoS mitigation for hours or longer, and that's not acceptable to many current operations. We have a business that utilizes this today.
You cite DDoS mitigation as _an_ example, whereas it seems to be more _the_ example. Also, it's not clear that asserting a new origin AS for a target of such an attack is the only way to deal with the problem, just the way that it is performed today, for ASes that do not make arrangements in advance to counter
such attacks.

Steve
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr

Reply via email to