Re: NTT->HE earlier today (~10am EDT)

[Job Snijders <job () instituut net>]

On Wed, Jul 01, 2015 at 12:02:40AM +0200, Tore Anderson wrote:
> > I was thinking that when I posted yesterday.
> >
> > These were announcements from a peer, not customer routes.
> >
> > We are lowering our max prefix limits on many peers as a result of this.
> >
> > We are also going towards more prefix filtering on peers beyond bogons 
> > and martians.
>
> You're not mentioning RPKI here. Any particular reason why not?
>
> If I understand correctly, in today's leak the origin AS was
> changed/reset, so RPKI ought to have saved the day. (At least
> Grzegorz' day, considering that 33 of AS43996's prefixes are covered
> by ROAs.)

This assessment is correct, however there might be some constraints in
play with regard to RPKI, which are not really related to RPKI itself,
which prohibit meaningful deployment. I've seen a few obstacles myself:

    - equipment might not support the RTR protocol to validate
      announcements against the cache validator
    - Legal obstacles in obtaining the anchors from all RIRs
    - when not using the RTR protocol but generating prefix-list filters
      based on RPKI data, the devices might not support sufficient
      entries.

Would be good if other people share obstacles, and possibly, the methods
they used to overcome those. I'll count "not using brocade" as a valid
method.

Kind regards,

Job