Re: where was my white knight....

On 09/11/2011 03:14, Randy Bush wrote: > once again, > o when you have no connection to a cache or no covering roa for a > a prefix, the result is specified as NotFound > o we recommend you route on NotFound > > so the result is the same as today. Well no, not really because when the cac

Re: where was my white knight....

On Nov 8, 2011, at 7:28 PM, Randy Bush wrote: > fwiw, we have not tested the scaling of rpki-rtr performance as much as > we might have. we synthesized an rpki cache with roas for all the > prefixes in a current table, 370k of them or whatever, and let routers > load that cache from zip to full.

Re: where was my white knight....

> Indeed, we can expect new and exciting ways to blow up networks with > SIDR. the black helicopters spraying fud are especially vicious

Re: where was my white knight....

fwiw, we have not tested the scaling of rpki-rtr performance as much as we might have. we synthesized an rpki cache with roas for all the prefixes in a current table, 370k of them or whatever, and let routers load that cache from zip to full. for low-end routers and a mediocre cache server, eithe

Re: where was my white knight....

> I understand what the manual says (actually, i read it). cheating > I'm just curious as to how this is going to work in real life. Let's > say you have a router cold boot with a bunch of ibgp peers, a transit > or two and an rpki cache which is located on a non-connected network - > e.g. s

Re: where was my white knight....

On Tue, Nov 8, 2011 at 5:26 PM, Dobbins, Roland wrote: > > On Nov 9, 2011, at 4:22 AM, Christopher Morrow wrote: > >>  the routers have (in some form of the plan) a cache > > A cache that's persistent across reboots? > not across reboots, but in this case routers didn't necessarily reboot (parts

Re: where was my white knight....

On Tue, 8 Nov 2011, bmann...@vacation.karoshi.com wrote: > On Tue, Nov 08, 2011 at 08:16:10PM +0100, Randy Bush wrote: > > > the answer seems to be NO, it would not have helped and would have > > > actually contributed to network instability with large numbers of > > > validation requests sent to

Re: where was my white knight....

On Tue, Nov 08, 2011 at 08:16:10PM +0100, Randy Bush wrote: > > the answer seems to be NO, it would not have helped and would have > > actually contributed to network instability with large numbers of > > validation requests sent to the sidr/ca nodes... > > utter bullshit. maybe you would benefit

Re: where was my white knight....

In a message written on Tue, Nov 08, 2011 at 10:19:24PM +, Nick Hilliard wrote: > One solution is to have directly-connected rpki caches available to all > your bgp edge routers throughout your entire network. This may turn out to > be expensive capex-wise, and will turn out to be yet anoth

Re: where was my white knight....

On Nov 9, 2011, at 5:19 AM, Nick Hilliard wrote: > One solution is to have directly-connected rpki caches available to all your > bgp edge routers throughout your entire network. They don't have to be directly-connected - they could be on the DCN, which ought to have at least some static 'hin

Re: where was my white knight....

On Nov 9, 2011, at 4:22 AM, Christopher Morrow wrote: > the routers have (in some form of the plan) a cache A cache that's persistent across reboots? --- Roland Dobbins // The b

Re: where was my white knight....

On 08/11/2011 21:32, valdis.kletni...@vt.edu wrote: Anybody who puts their rpki cache someplace that isn't accessible until they get the rpki initialized gets what they deserve. One solution is to have directly-connected rpki caches available to all your bgp edge routers throughout your entire

Re: where was my white knight....

On 8 Nov 2011, at 21:37, "Leo Bicknell" wrote: > In a message written on Tue, Nov 08, 2011 at 04:22:48PM -0500, Christopher > Morrow wrote: >> I think actually it wouldn't have caused more validation requests, the >> routers have (in some form of the plan) a cache from their local >> cache, the

Re: where was my white knight....

In a message written on Tue, Nov 08, 2011 at 04:22:48PM -0500, Christopher Morrow wrote: > I think actually it wouldn't have caused more validation requests, the > routers have (in some form of the plan) a cache from their local > cache, they use this for origin validation... there's not a > requi

Re: where was my white knight....

On Tue, 08 Nov 2011 20:51:00 GMT, Nick Hilliard said: > I understand what the manual says (actually, i read it). I'm just curious > as to how this is going to work in real life. Let's say you have a router > cold boot with a bunch of ibgp peers, a transit or two and an rpki cache > which is loca

Re: where was my white knight....

On Tue, Nov 8, 2011 at 4:08 PM, Leigh Porter wrote: > > On 8 Nov 2011, at 18:24, "Dobbins, Roland" wrote: > >> Validation storm-control is something which must be accounted for in >> SIDR/DANE architecture, implementation, and deployment.  But at the end of >> the day, vendors are still respons

Re: where was my white knight....

On Tue, Nov 8, 2011 at 1:48 PM, Nick Hilliard wrote: > On 08/11/2011 18:14, bmann...@vacation.karoshi.com wrote: >>  the answer seems to be NO, it would not have helped and would have actually >> contributed to network instability with large numbers of validation requests >> sent to the sidr/ca no

Re: where was my white knight....

On Tue, Nov 8, 2011 at 1:14 PM, wrote: > >  that was/is kindof orthoginal to the question... would the sidr plan > for routing security have been a help in this event?  nice to know > unsecured IPv6 took some of the load when the unsecured IPv4 path > failed. > if all routing goes boom, would se

Re: where was my white knight....

On 8 Nov 2011, at 18:24, "Dobbins, Roland" wrote: > > On Nov 9, 2011, at 1:14 AM, wrote: > >> that was/is kindof orthoginal to the question... would the sidr plan for >> routing security have been a help in this event? > > SIDR is intended to provide route-origination validation - it isn't

Re: where was my white knight....

On 08/11/2011 19:19, Randy Bush wrote: > what comes to my mind is that NotFound is the default and it is > recommended to route on it. I understand what the manual says (actually, i read it). I'm just curious as to how this is going to work in real life. Let's say you have a router cold boot wit

Re: where was my white knight....

> i'm curious about sidr cold bootup, specifically when you are > attempting to validate prefixes from an rpki CA or cache to which you > do not necessarily have network connectivity because your igp is not > yet fully up. The phrases "layering violation" and "chicken and egg" > come to mind. wha

Re: where was my white knight....

> the answer seems to be NO, it would not have helped and would have > actually contributed to network instability with large numbers of > validation requests sent to the sidr/ca nodes... utter bullshit. maybe you would benefit by actually reading the doccos and understanding the protocols.

Re: where was my white knight....

On Tue, Nov 08, 2011 at 06:48:12PM +, Nick Hilliard wrote: > On 08/11/2011 18:14, bmann...@vacation.karoshi.com wrote: > > the answer seems to be NO, it would not have helped and would have actually > > contributed to network instability with large numbers of validation requests > > sent to th

Re: where was my white knight....

On Tue, Nov 08, 2011 at 06:25:36PM +, Dobbins, Roland wrote: > On Nov 9, 2011, at 1:22 AM, Dobbins, Roland wrote: > > > Validation storm-control is something which must be accounted for in > > SIDR/DANE architecture, implementation, and deployment. But at the end of > > the day, vendors are

Re: where was my white knight....

On 08/11/2011 18:14, bmann...@vacation.karoshi.com wrote: > the answer seems to be NO, it would not have helped and would have actually > contributed to network instability with large numbers of validation requests > sent to the sidr/ca nodes... i'm curious about sidr cold bootup, specifically wh

Re: where was my white knight....

On Nov 9, 2011, at 1:22 AM, Dobbins, Roland wrote: > Validation storm-control is something which must be accounted for in > SIDR/DANE architecture, implementation, and deployment. But at the end of > the day, vendors are still responsible for their own code. To be clear, I was alluding to some

Re: where was my white knight....

On Nov 9, 2011, at 1:14 AM, wrote: > that was/is kindof orthoginal to the question... would the sidr plan for > routing security have been a help in this event? SIDR is intended to provide route-origination validation - it isn't intended to be nor can it possibly be a remedy for vendor-speci

Re: where was my white knight....

that was/is kindof orthoginal to the question... would the sidr plan for routing security have been a help in this event? nice to know unsecured IPv6 took some of the load when the unsecured IPv4 path failed. the answer seems to be NO, it would not have helped and would have actually contrib

Re: where was my white knight....

We saw an increase in IPv6 traffic which correlated time wise with the onset of this IPv4 incident. Happy eyeballs in action, automatically shifting what it could. Mike. On 11/8/11 2:56 AM, bmann...@vacation.karoshi.com wrote: how would a sidr-enabled routing infrastructure have fared in ye

Re: where was my white knight....

On Nov 8, 2011, at 5:56 PM, wrote: > how would a sidr-enabled routing infrastructure have fared in yesterdays > routing circus? The effects of large amounts of route-churn on the auth chain - perhaps DANE? - might've been interesting . . .

where was my white knight....

how would a sidr-enabled routing infrastructure have fared in yesterdays routing circus? /bill