Re: Changes to ARIN Online - Routing Security Dashboard - RPKI & IRR integration (was: Fwd: [arin-announce] New Features Added to ARIN Online)

[Mark Kosters <markk () arin net>]

Hi Job

Answers below starting with MK:

On 8/7/23, 7:31 PM, "NANOG on behalf of Job Snijders via NANOG" <nanog-bounces+markk=arin.net () nanog org 
<mailto:arin.net () nanog org> on behalf of nanog () nanog org <mailto:nanog () nanog org>> wrote:

- is the IRR state directly derived from the RPKI state?

MK: No.  This is all done in software. First a ROA is generated, then one or more IRR objects based on how the ROA was 
defined by the user.

An example for context: should some kind of unfortunate failure happen
in ARIN's HSMs and thusly a new Manifest + CRL pair isn't signed and
published before the 'nextUpdate' timestamp of the previous pair,
would the associated IRR objects be deleted via NRTM? Or is the
creation of ROAs and IRR route:/route6: objects discoupled in the
sense that an operator creates an abstract object which then is
transformed into both IRR and RPKI objects?

MK: When the resource holder submits a ROA generation request, we have code that translates the ROA into the equivalent 
auto-managed route/route6 IRR objects, from the starting prefix to longest possible match. This process does not use 
the capabilities or features in third party software implementations. 

- What is the expected delay (if any) between creating a RPKI ROA and
the associated IRR route/route6 objects appearing via NRTM?
Is there online documentation outlining expectations, and is there
internal monitoring on the delivery of the RPKI-to-IRR transformation
service?

MK: New RPKI ROAs are published every three minutes. IRR objects are published every five minutes. There is a 
possibility that the route object derived from a ROA could be seen in ARIN’s IRR database before the ROA in ARIN’s RPKI 
repository.

- The documentation states "If the creation of a ROA would result in
more than 256 IRR Route Objects, no managed IRR Route Objects will be
created." - but, why not? 

MK: Our reason to limiting the creation is to protect the IRR mirroring service. A rapid influx of route object 
creation may overrun the IRR processes if a poor decision was made with respect to the use of the maxlength field.  For 
example a 205.188.0.0/16 maxlength 24 ROA, would generate 511 IRR route objects (( 2^( prefix_length - max_length + 1 
))- 1). We may revisit this maximum limit in the future.

Would it not be advantageous to create at a minimum the 256 of the 'least-specific' objects?

MK: That may be a reasonable approach. Do you see any adverse effects in simplifying the IRR Route creation logic to 
just have least-specific?

Thanks,
Mark