> On 18 Sep 2022, at 20:42, Owen DeLong <o...@delong.com> wrote:
>
> Since at its best, all RPKI can provide is a hint at how to properly lie
> about an announcement (i.e. what
> you must prepend in order for it to be believed), I remain unconvinced that
> it provides any actual benefit
> except, perhaps, to the largest and most well known ASNs as originators.
>
> Owen
That’s not the point I’m making.
You said something about the number of invalids and people making mistakes. I
argue that may be because of ARIN’s service offering.
After over a decade of service, I wonder why it’s not better. There is plenty
of inspiration to take from the other RIRs.
-Alex
>
>
>> On Sep 18, 2022, at 11:38 , Alex Band <a...@nlnetlabs.nl> wrote:
>>
>>
>>
>>> On 18 Sep 2022, at 20:17, Owen DeLong via NANOG <nanog@nanog.org> wrote:
>>>
>>>
>>>
>>>> On Sep 15, 2022, at 22:04 , Rubens Kuhl <rube...@gmail.com> wrote:
>>>>
>>>> On Fri, Sep 16, 2022 at 12:45 PM William Herrin <b...@herrin.us> wrote:
>>>>>
>>>>> On Thu, Sep 15, 2022 at 9:09 PM Rubens Kuhl <rube...@gmail.com> wrote:
>>>>>> On Fri, Sep 16, 2022 at 11:55 AM William Herrin <b...@herrin.us> wrote:
>>>>>>> No, the best option for me right now is that I just don't participate
>>>>>>> in RPKI and the system has one less participant. And that's a shame.
>>>>>>
>>>>>> That's only true in the current environment where RPKI is only used to
>>>>>> invalidate bogus routes. When any reachability for RPKI-unknowns is
>>>>>> lost, that will change.
>>>>>
>>>>> Hi Rubens,
>>>>>
>>>>> If you want to bet me on folks ever deciding to discard RPKI-unknowns
>>>>> down in the legacy class C's I'll be happy to take your money.
>>>>
>>>> I don't think people will look at even the class, and definitively not
>>>> to legacy or non-legacy partitions.
>>>> They will either drop it all, or not drop it at all.
>>>>
>>>> Note that when the only IP blocks that spammers and abusers can inject
>>>> in the system are non-signed ones, those blocks will get bad
>>>> reputations pretty fast. So the legacy holders use case for RPKI might
>>>> come sooner than you think.
>>>
>>> Nah… Because the reputations will still be the individual /24s and while
>>> lots of /24s around mine have bad reputations, mine doesn’t and never has
>>> (modulo a couple of administrative errors that were on me and legitimately
>>> my fault, not actual spammers).
>>>
>>>>
>>>>> Anyway, the risk/reward calculation for NOT signing the LRSA right now
>>>>> is really a no-brainer. It's just unfortunate that means I won't get
>>>>> an early start on RPKI.
>>>>
>>>> Discarding RPKI-invalids is something you can do right now and that
>>>> doesn't come with a price tag. Good BCP38 and RPKI-invalid hygiene is
>>>> the thankless gift you can give to the community.
>>>
>>> Yes, but I think that RPKI unknowns are never going to be something that
>>> can be safely dropped and 90% of RPKI invalids so far seem to be people
>>> making RPKI mistakes with their legitimate announcements.
>>>
>>> The more I look at RPKI, the more it looks like a lot of effort with very
>>> little
>>> benefit to the community.
>>
>> While I’m sure that most would agree that RPKI offers at least some
>> benefits, perhaps the problem is the cost/benefit of doing RPKI in the ARIN
>> region compared to the rest of the world, e.g. ticketed requests to set it
>> up, no indication of what the effect of your ROA is going to be before you
>> publish, handling ROA expiry manually, etc.
>>
>> In other regions using RPKI is orders of magnitude simpler to set up and
>> maintain, and a lot less error prone. They provide alerting when your ROA do
>> not seem to match what is seen in BGP, create matching route: objects, etc.
>>
>> To illustrate, here’s a video of the RIPE NCC management UI from 2015 (!):
>>
>> https://youtu.be/gLwHp12wOGw
>>
>> (And no, the nonrepudiation requirement in ARIN is not an excuse)
>>
>> -Alex
>>
>>
>>>
>>> YMMV
>>>
>>> Owen
>
