On (2015-06-02 21:51 -0700), Randy Bush wrote: > The RPKI is an X.509 based hierarchy [rfc 6481] which is congruent > with the internet IP address allocation administration, the IANA,
Hijacking this thread. I've requested both our main vendors for 'loose rpki' years ago, nothing has happened. SP trying to deploy RPKI may have negative business impact, if far-end fat-fingers and fail RPKI, then my connectivity to them is broken, while competitor who isn't running RPKI still works fine. Essentially suits may view deploying RPKI as spending money to lose money. Comfortable slow-start would be to have 'loose rpki' which essentially has 3 adj-ribs, verified-rpki, missing-rpki, failed-rpki. Then loc-rib is build from each of these, so that no overlapping routes are installed from inferior ribs. That is, if verified-rpki has 192.0.2.0/24, missing/failed-rpki cannot install it or more-specific of it. Net result is, we will always use verified-rpki route if existing, but if no other options exist, we're happy to use any available route. JunOS allows routing-policy to match on verified status, but this cannot obviously override more-specifics. -- ++ytti