Dear all,
I wrote a small tool to help understand the effects if RIPE Policy
Proposal 2018-06 is accepted by the community. This is the "Let's use
RPKI ROAs to clean up the non-authoritative RIPE-NONAUTH IRR
source!"-proposal (source: https://www.ripe.net/participate/policies/proposals/2018-06).
The tool can also be used by RIPE NCC staff to validate their
implementation or help their impact analysis.
Quick reminder: this proposal does *not* impact any RIPE Managed space,
this does *not* impact IP space for which no RPKI ROAs have or can be
created, and it does *not* impact route objects where the route object
and the RPKI ROA are match each other.
Currently there are 793 IRR "route:" objects and 17 "route6:" objects
that conflict with published RPKI ROAs. Out of those ~ 800, roughly 33
prefixes are visible in the BGP DFZ as exact matches between what is
registered in RIPE-NONAUTH and in BGP (note: this means these 33
announcements are "RPKI Invalid", and the likes of Cloudflare / AT&T
probably aren't accepting those announcements anyway)...
You can install the tool through 'pip3 install ripe-proposal-2018-06', or
download the source from https://github.com/job/ripe-proposal-2018-06
Usage example:
$ ripe-proposal-2018-06 -a 7018
Downloading https://rpki.gin.ntt.net/api/export.json
Downloading https://ftp.ripe.net/ripe/dbase/split/ripe-nonauth.db.route.gz
INVALID! The 99.122.224.0/21AS1273 RIPE-NONAUTH route object has conflicts:
route: 99.122.224.0/21
descr: route for customer Akamai International
origin: AS1273
created: 2008-09-08T14:40:49Z
last-modified: 2018-09-04T15:54:45Z
source: RIPE-NONAUTH
mnt-by: CW-EUROPE-GSOC
Above non-authoritative IRR object is in conflict with this ROA:
ROA: 99.112.0.0/12, MaxLength: 12, Origin AS7018 (ARIN)
Note that AT&T has no method of getting this erroneous "route:" object
removed, other than to beg & plead with maintainer 'CW-EUROPE-GSOC'.
We're working on an updated version of RIPE Policy Proposal 2018-06 to
incorporate feedback from the community, such as an attempt to send
notifications and a grace period before the object is actually removed.
All in all it appears that if this policy proposal is deployed *now*,
the operational impact is virtually non-existent; and after deploying
this the global community has an industry-standard way to get rid of
stale proxy route registrations. With every published ROA the
"RIPE-NONAUTH" source becomes cleaner!
Kind regards,
Job
