nanog mailing list archives

Re: constraining RPKI Trust Anchors

From: Job Snijders via NANOG <nanog () nanog org>
Date: Wed, 11 Oct 2023 22:51:52 +0200

Dear Martin,

On Wed, Oct 11, 2023 at 10:01:53AM +0200, Martin Pels wrote:

I think this is important work.


Thanks!

As you indicated in your mail you have spent quite some time compiling
the constraints files in the appendix. Keeping them up to date
requires tracking allocations and policy developments in all RIRs. It
reminds me of bogon filters for unallocated IP space, and the
associated problems of networks not updating them [0].


Yes, indeed there is a burden associated with this risk mitigation
approach. I deem tracking of ratified policies in all RIRs feasible, but
yeah... it'll definitely be a recurring quarterly todo item. The current
approach in developing these default constraint listings is to focus on
coarse-grained filters, and not bother to document unallocated space
because the resulting churn would hard to manage & distribute.

So while each RP should be able to make policy decisions based on its
own local criteria, managing a default set of constraints is something
that is best done centralized. Who do you envision should manage these
lists? RP software maintainers? RIRs? Others?


I guess initially it'll be the RP developers (like me), because who else
is chartered to produce such listings at this moment? I do intend to
keep [1] updated. Would you like to help? :-)

I envision the default constraints can be distributed via packages like
rpki-trust-anchors [2] and integral in operating systems like OpenBSD in
order to reduce the burden on operators.

A potential follow-up exercise here could be to propose to increase the
level of detail in IANA's IPv4 Address Space Registry [0] by - for
example - documenting the longer-than-/8 blocks each RIR transferred to
AFRINIC when AFRINIC was instantiated.

Kind regards,

Job

[0]: https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml
[1]: https://www.ietf.org/archive/id/draft-snijders-constraining-rpki-trust-anchors-00.html
[2]: https://packages.debian.org/stable/rpki-trust-anchors

Current thread:

Re: constraining RPKI Trust Anchors Martin Pels (Oct 11)
- Re: constraining RPKI Trust Anchors Delong.com via NANOG (Oct 11)
- Re: constraining RPKI Trust Anchors Job Snijders via NANOG (Oct 11)
- Re: constraining RPKI Trust Anchors Randy Bush (Oct 11)
  - Re: constraining RPKI Trust Anchors Joelja Bogus (Oct 12)