[162874] in North American Network Operators' Group
Re: Illegal usage of AS51888 (and PI 91.220.85.0/24) from AS42989 and
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Fri May 3 17:42:23 2013
In-Reply-To: <51840010.4050006@foobar.org>
Date: Fri, 3 May 2013 17:42:08 -0400
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Nick Hilliard <nick@foobar.org>
Cc: "NANOG \(nanog@nanog.org\)" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Fri, May 3, 2013 at 2:21 PM, Nick Hilliard <nick@foobar.org> wrote:
> On 03/05/2013 19:08, Christopher Morrow wrote:
> > hopefully it won't involve people being brave :) hopefully good
> measurement
> > and metrics lead us to a position where things 'just work' and we can do
> it
> > with confidence! :)
>
> dropping prefixes means that you're ok about not having reachability to a
> prefix if its roa pops up as "unknown". This could be because the prefix
> holder hasn't bothered to register their prefix in the rpki (i.e.
> sloppiness), or it could be because the ROA has been revoked for some
> reason (e.g. because of hijacking). For sure, a router can't tell the
> difference.
>
>
right, in the ideal tomorrow-tomorrow-land ... this all is part of turnup
and the timelines associated with propogation/etc are all known and
accounted for. Additionally, the systems involved are all well understood
and redundant/resilient/etc.
in short, in the tomorrow-tomorrow-land... this all just works as we
expect/want, and the only 'unknown' are actually 'invalid'.
> From a deployment point of view, there's a pretty big gap between poking
> around with rpki and actually dropping prefixes on your routers. I don't
> see that the rpki dat a will be good enough for the latter any time soon,
> but maybe one day.
>
>
right, no problem with this.
> Nick
>
>
