Re: 2749 routes AT RISK - Re: TIMELY/IMPORTANT - Approximately 40 hours until potentially significant routing changes (re: Retirement of ARIN Non-Authenticated IRR scheduled for 4 April 2022)

[Job Snijders via NANOG <nanog () nanog org>]

On Mon, Apr 04, 2022 at 06:35:31PM -0400, Jon Lewis wrote:
> On Tue, 5 Apr 2022, Job Snijders wrote:
> > > Are others jumping ship or planning to from ALTDB (no offense intended, and
> > > grateful for the service you've provided) and other non-auth IRRs like RADB
> > > due to networks like Tata announcing that they won't honor route objects
> > > created in non-authoratative IRR DBs after late last year and plan to ignore
> > > them entirely by late next year?  i.e.
> > >
> > > From: https://lg.as6453.net/doc/cust-routing-policy.html
> > >
> > >   Special note, deprecation of non-authoritative registries
> > >
> > >   Please note that 'route' and 'route6' objects created after 2021-Aug-15
> > >   in non-authoritative registries like RADB, NTTCOM, ALTDB and others
> > >   will not work. Objects created before that date will continue to work till
> > >   2023-Aug-15. It is recommended to create RPKI ROA objects instead. In
> > >   rare cases if that's not possible, 'route' and 'route6' must be created
> > >   in the authoritative registry - AfriNIC, APNIC, ARIN, LACNIC, RIPE, RIPE,
> > >   NIC.br or IDNIC.
> >
> > I very much appreciate Tata's efforts to strive to only use authoritive
> > data when making BGP routing decisions; however the scope of their
> > charter is of course confined to just Tata's own operations. Tata's
> > routing policies affect only Tata's customer cone.
>
> I'm (well, work is) a Tata customer.  So their policy wrt which IRR's
> they'll honor objects in matters to me, and going forward, it makes no sense
> for us to create new objects in ALTDB or RADB...and those proxy
> registrations Kenneth created in ALTDB, if any of those networks are
> originated by Tata customers, I presume the new ALTDB objects won't cause
> Tata prefix-list filters to include those routes.

Right.

> I just wonder if Tata is alone leading the charge to deprecate non-auth
> IRRs, or if there are other notable networks with similar policies?

I think there clearly is an industry-wide trend to move away from
'unsigned plain-text non-authoritative' datasets, towards better sources
of truth such as the VRP data available through the RIR RPKI Trust
Anchors.

There are variances in how stakeholders implement this paradigm shift:
some operators move towards wholesale ignorance of non-auth databases
(like Tata); some operators use softer transition mechanisms (examples:
what RIPE NCC did in lieu of RIPE-731, or how IRRd v4 in its default
configuration magically makes RPKI-invalid IRR objects disappear).

I think all of us recognize a need to declaw "third party" IRR databases
like RADB and ALTDB ("declawing" meaning that it is not desirable that
anyone can just register *anything*); on the other hand our community
also has to be cognizant about there being parts of the Internet which
are not squatting on anyone's numbers *and* also are not contracted to a
specific RIR.

Kind regards,

Job