[146293] in North American Network Operators' Group
Re: where was my white knight....
daemon@ATHENA.MIT.EDU (Nick Hilliard)
Tue Nov 8 17:20:41 2011
X-Envelope-To: nanog@nanog.org
Date: Tue, 08 Nov 2011 22:19:24 +0000
From: Nick Hilliard <nick@foobar.org>
To: Valdis.Kletnieks@vt.edu
In-Reply-To: <77240.1320787968@turing-police.cc.vt.edu>
Cc: North American Network Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 08/11/2011 21:32, Valdis.Kletnieks@vt.edu wrote:
> Anybody who puts their rpki cache someplace that isn't accessible until they
> get the rpki initialized gets what they deserve.
One solution is to have directly-connected rpki caches available to all
your bgp edge routers throughout your entire network. This may turn out to
be expensive capex-wise, and will turn out to be yet another critical
infrastructure item to maintain, increasing opex.
Alternatively, you host rpki caches on all your AS-edge routers => upgrades
- and lots of currently-sold kit will simply not handle this sort of thing
properly.
> Once you realize this, the rest of the "what do we do for routing until
> it comes up" concern trolling in the rest of that paragraph becomes
> pretty easy to sort out...
I humbly apologise for expressing concern about the wisdom of imposing a
hierarchical, higher-layer validation structure for forwarding-info
management on a pre-existing lower layer fully distributed system which is
already pretty damned complex...
What's that principle called again? Was it "Keep It Complex, Stupid"? I
can't seem to remember :-)
> Caching just enough to validate the routes you need to get to a more capable
> rpki server shouldn't have a high write life-cycle.
Lots of older flash isn't going to like this => higher implementation cost
due to upgrades.
> Heck, you could just manually
> configure a host route pointing to the rpki server...
Yep, hard coding things - good idea, that.
> And it would hardly be the first time that people have been unable to deploy
> feature XYZ because it wouldn't fit in the flash on older boxes still in
> production.
This is one of several points I'm making: there is a cost factor here, and
it's not clear how large it is.
Nick
