[176603] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: ARIN's RPKI Relying agreement

daemon@ATHENA.MIT.EDU (Nick Hilliard)
Fri Dec 5 12:03:53 2014

X-Original-To: nanog@nanog.org
X-Envelope-To: nanog@nanog.org
Date: Fri, 05 Dec 2014 17:00:35 +0000
From: Nick Hilliard <nick@foobar.org>
To: Randy Bush <randy@psg.com>
In-Reply-To: <m2k32671zf.wl%randy@psg.com>
Cc: John Curran <jcurran@arin.net>,
 North American Network Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org

On 05/12/2014 11:47, Randy Bush wrote:
>>> and the difference is?
>> rpki might work at scale.
> ohhh noooooooooo!

rtconfig + prefix lists were never going to work at scale, so rpsl based
filters were mostly only ever deployed on asn edges rather than dfz core
inter-as bgp sessions.  This meant that the damage that a bad update might
cause would be relatively limited in scope.  RPSL's scaling limitations do
not apply to rpki, so in theory the scope for causing connectivity problems
is a good deal greater.  So if e.g. ARIN went offline or signed some broken
data which caused Joe's Basement ISP in Lawyerville to go offline globally,
you can probably see why ARIN would want to limit its liability.


home help back first fref pref prev next nref lref last post