Hi Job Answers below starting with MK:
On 8/7/23, 7:31 PM, "NANOG on behalf of Job Snijders via NANOG" <nanog-bounces+markk=arin....@nanog.org <mailto:arin....@nanog.org> on behalf of nanog@nanog.org <mailto:nanog@nanog.org>> wrote: - is the IRR state directly derived from the RPKI state? MK: No. This is all done in software. First a ROA is generated, then one or more IRR objects based on how the ROA was defined by the user. An example for context: should some kind of unfortunate failure happen in ARIN's HSMs and thusly a new Manifest + CRL pair isn't signed and published before the 'nextUpdate' timestamp of the previous pair, would the associated IRR objects be deleted via NRTM? Or is the creation of ROAs and IRR route:/route6: objects discoupled in the sense that an operator creates an abstract object which then is transformed into both IRR and RPKI objects? MK: When the resource holder submits a ROA generation request, we have code that translates the ROA into the equivalent auto-managed route/route6 IRR objects, from the starting prefix to longest possible match. This process does not use the capabilities or features in third party software implementations. - What is the expected delay (if any) between creating a RPKI ROA and the associated IRR route/route6 objects appearing via NRTM? Is there online documentation outlining expectations, and is there internal monitoring on the delivery of the RPKI-to-IRR transformation service? MK: New RPKI ROAs are published every three minutes. IRR objects are published every five minutes. There is a possibility that the route object derived from a ROA could be seen in ARIN’s IRR database before the ROA in ARIN’s RPKI repository. - The documentation states "If the creation of a ROA would result in more than 256 IRR Route Objects, no managed IRR Route Objects will be created." - but, why not? MK: Our reason to limiting the creation is to protect the IRR mirroring service. A rapid influx of route object creation may overrun the IRR processes if a poor decision was made with respect to the use of the maxlength field. For example a 205.188.0.0/16 maxlength 24 ROA, would generate 511 IRR route objects (( 2^( prefix_length - max_length + 1 ))- 1). We may revisit this maximum limit in the future. Would it not be advantageous to create at a minimum the 256 of the 'least-specific' objects? MK: That may be a reasonable approach. Do you see any adverse effects in simplifying the IRR Route creation logic to just have least-specific? Thanks, Mark
