[anti-abuse-wg] [routing-wg] An arrest in Russia
- Previous message (by thread): [anti-abuse-wg] [routing-wg] An arrest in Russia
- Next message (by thread): [anti-abuse-wg] [routing-wg] An arrest in Russia
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Job Snijders
job at ntt.net
Fri Jan 3 22:54:29 CET 2020
On Fri, Jan 03, 2020 at 01:40:41PM -0800, Ronald F. Guilmette wrote: > In message <20200103165918.GL72330 at Space.Net>, Gert Doering <gert at space.net> wrote: > >On Fri, Jan 03, 2020 at 04:14:07PM +0000, Suresh Ramasubramanian wrote: > >> So the RIR has absolutely no role in maintaining say IRR data? I > >> agree validating LOAs and such for routing changes would be on > >> providers. Though if the changes were to be made in IRR data who > >> would validate it? > > >IRR data is authenticated by registry data in RIPE land, if the > >resource holder chooses so. Short story. > > > > So, nobody can create routes for, say, my address space unless I > > authorize that. > > Yes. Nowadays, the RIPE IRR is better in this respect than any other > IRR that I am aware of. I'd like to offer some additional datapoints, in this context I consider an IRR (either by a RIR or NIR) 'validated' if "route:" objects can only be created with the consent of the then-current resource holder. Current RIRs: * All RPKI ROAs (under all of the five RIRs) are validated * RIPE NCC's "RIPE" IRR source is validated (but "RIPE-NONAUTH" is not). * APNIC's IRR source "APNIC" is 100% validated * AFRINIC's IRR source "AFRINIC" is 100% validated Current NIRs: * NIC.BR's "whois" registry (which contains routing data) is validated * JPNIC (who manage 'JPIRR') validates all route objects on a regular interval There are more NIRs, but not all of them have IRRs, or in some cases the IRR function has been outsourced back to the RIR. Near Future: * LACNIC is working on a "RPKI to IRR" bridge, which will bring a new RIR managed IRR source to the ecosystem, but it will be 100% validated since it is based on RPKI. * ARIN is working on a validated IRR, I myself am involved in this project to help achieve the best possible outcomes. So in short: the RIPE IRR is very good. There are more IRRs like it already today. And the remaining RIR IRRs are moving to a more secure service execution model. > Don't even get me started about RADB! They don't check anything, and > there are stale entires in there from 10+ years go for routes to > bogons. As far as I can tell, there is zero quality control and zero > maintenance, the result being that it has become one big playground > for routing crooks. As mentioned before, third party IRRs - through the IRRd 4 project - are working to address such shortcomings. Ronald as expressed some concern with the pace at which these projects are moving along, but I'm not sure things can be sped up - and I personally appreciate the positive direction in which things seem to be developing. Kind regards, Job
- Previous message (by thread): [anti-abuse-wg] [routing-wg] An arrest in Russia
- Next message (by thread): [anti-abuse-wg] [routing-wg] An arrest in Russia
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]