Can an operator discard no RPKI / RPKI INVALID *from the DFZ* today, or at any time in the foreseeable future? No. Probably not ever.
That does not mean there are other perfectly reasonable RPKI use cases where an AS 0 ROA does accomplish exactly that with which it was designed. On Sun, Oct 22, 2023 at 1:24 PM William Herrin <b...@herrin.us> wrote: > On Sun, Oct 22, 2023 at 10:06 AM Tom Beecher <beec...@beecher.cc> wrote: > >> And is it your belief that this addresses the described attack vector? > >> AFAICT, it does not. > > > > In the mixed RPKI / non-RPKI environment of today's internet, no it > doesn't. > > I don't see a path to an Internet where a serious network operator can > broadly discard routes for which there is no RPKI information. > Especially given that many legacy folks are barred by the registry > from participating in RPKI. > > Do you see a path? > > Then we have to treat this as a case where RPKI is non-performant and > operate with the understanding that an AS0 ROA will not, as a > practical matter, accomplish the thing it was designed to do. > > Regards, > Bill Herrin > > > -- > William Herrin > b...@herrin.us > https://bill.herrin.us/ >
