On Mon, May 02, 2016 at 02:26:46PM +0200, Gert Doering wrote:
[..] On Mon, May 02, 2016 at 02:02:39PM +0000, Erik Bais wrote:
The goal is to limit the options so that spammers can't initiate hijacks ... So there is a common goal ..
I still fail to see why this new technical mechanism is better than the existing mechanism (RPKI, at least, and possibly route/route6 objects), *and* why these database operators would actually *use* them, if they fail to do verification today for the existing and easy cases.
The issue with RPKI .. is that that not everything is signed ... Another issue due to the distributed options in RPKI, one can run their own certification environment.. The intention is to use a system that would fix it for the all IP resources within a single region (RIPE in this example) in order to close idiotic input into those DB's.... Yes, there is currently garbage in some of those databases.. I'm personally still waiting on a reply from the Savvy DB maintainers for a ticket update send 2 months ago .. perhaps longer .. If the third party database isn't updating to the new way of authorizing prefixes to the originating RIR and not doing any housekeeping on expired objects ... their usefulness is close to zero for future use and inclusion in any prefix filter development that is in the future. I would personally like to see future developments of bgpq3 or the IRR Toolset to limit their default inclusion to those DB's that actually validate input ...
OTOH, some evidence of buy-in from L3, RADB, etc. that this is something they are only waiting for and stuff will get implemented quickly afterwards would convince me that it's a good thing :-)
Agree, I think that this would indeed be a good thing ... Regards, Erik Bais