nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

From: Alex Band <alex () nlnetlabs nl>
Date: Wed, 19 Sep 2018 11:45:24 +0200


On 19 Sep 2018, at 10:37, Christopher Morrow <morrowc.lists () gmail com> wrote:



On Wed, Sep 19, 2018 at 1:33 AM Phil Lavin <phil.lavin () cloudcall com> wrote:

What about an one-off outreach effort?



Makes sense to me. As someone who (at least pretends to) care, I was very much unaware of RPKI before seeing 
discussion about it on NANOG and #ix.

That said, having recently done this with ARIN... they've got a long way to go before it's a simple process (like 
RIPE). Submitting numerous tickets over a 3 day period doesn't strike me as particularly efficient. If outreach was 
done and widely taken up, I'd think ARIN's help desk will struggle to meet the demand. If this is the case and it's 
a multi-week process to get RPKI set up, it would be expected that people will give up part way through the process.


Phil. Thanks, this is interesting input.. I expected that the system arin setup was on-par with that which ripe/apnic 
have setup... huh, I'm surprised that it required any tickets at all to accomplish :(


ARIN offers all of the features that the other RIRs do, but usability remains a (big) barrier. I did a talk at NANOG 
several years ago demonstrating how usability of the hosted RPKI system greatly impacted adoption and data quality in 
the RIPE region:

https://youtu.be/R2VV_APOFL8

At the time, a lot of effort went into providing a hosted RPKI system that suggested ROAs based on best practices, 
showed what the impact on BGP announcements was going to be and sent alerts when misconfigurations or hijacks occurred. 
This gives operators the confidence to use and maintain the system. As a result, the data set is now big and high 
quality enough for operators to start dropping invalids.

I’d be interested to hear how many operators in the ARIN region would be willing to set up ROAs (and maintain them!) if 
it weren’t so hard to do. This might entice ARIN to address the usability issue. Because non-repudiation or not, this 
process shouldn’t have to take several tickets and several days.

Be that as it may, we fully intend to build a Delegated CA that is on par with RIPE’s user experience so that operators 
can run RPKI themselves in a usable way.

Alex Band
NLnet Labs
Previous By Date Next
Previous By Thread Next

Current thread: