Christopher Morrow wrote on 11/12/2019 03:45:
On Tue, Dec 10, 2019 at 7:32 PM Rubens Kuhl <rube...@gmail.com> wrote:
Which brings me to my favorite possible RPKI-IRR integration: a ROA
that says that IRR objects on IRR source x with maintainer Y are
authoritative for a given number resource. Kinda like SPF for BGP.
Is this required? or a crutch for use until a network can publish
all of their routing data in the RPKI?
it sounds like a great idea which is a terrible idea. Each operator
will make their own choice about what RPKI TALs to accept. Once they're
loaded up on the rpki caches, do you really want to push more complexity
down to the router control plane with and start making per-device
choices about how to handle the trust level of each individual ROA? The
internet dfz is already being killed with complexity. Configuring
per-prefix trust levels at a per-device level is nuts - and wholly
non-scalable.
If you don't want to see ROAs from a specific source, then don't import
their TAL.
Nick