Hi Nathalie, On Fri, Mar 19, 2021 at 4:24 AM Nathalie Trenaman <nathalie@ripe.net> wrote: [...]
If the goal is to do this in a customer friendly way, perhaps consider creating a website at something like: https://brokenrpki.ripe.net, on a network that does not validate RPKI, so that users can be provided with any analytical tools or step-by-step guides thought necessary.
First of all, thanks for the warm support for ROV on AS3333. I’m reading all mails and the discussion with great interest. Now, here Leo brings up a tricky point. If we would create such a website, outside of our network, be would basically tell that other party to never-ever do ROV themselves. I don’t think that we can (or should) demand that from another network. Also, other operational “back doors” are not a good idea, as we try to equally protect the registry and the routing table. This will have consequences. Operators who “locked themselves out” should use another network to reach the LIR Portal.
I might not have been clear. Sorry. My intention was not for the RIPE NCC to create a full-service LIR Portal on a network that doesn't use RPKI. Instead, I was trying to suggest creating something like the many DNSSEC validation checking websites that help you understand where things have gone wrong. Being able to provide this analysis to someone who has tripped over will allow you to provide them with authoritative advice on the paths they could take to fix things.
Apart from a big warning in the LIR Portal if they are about to do something that can lock them out (as Gert mentioned) , there isn’t much we can do. And from what I read here, there isn’t much more we should do.
This is definitely a good idea. Kind regards, Leo