> On Sep 18, 2018, at 2:15 PM, Christopher Morrow <morrowc.li...@gmail.com> > wrote: > > > > On Tue, Sep 18, 2018 at 1:33 PM nusenu <nusenu-li...@riseup.net > <mailto:nusenu-li...@riseup.net>> wrote: > Christopher Morrow wrote: > > Perhaps this was answered elsewhere, but: "Why is this something > > ARIN (the org) should take on?" > > Thanks for this question, I believe this is an important one. > > I reasoned about why I think RIRs are in a good position to send these emails > here: [1] > but I will quote from it for convenience: > > > Notifying affected IP Holders > > > > The natural next step (and that was our initial intention when > > looking at INVALIDs) would be to send out emails to affected IP > > holders and ask them to address the INVALIDs but although that could > > be automated, we believe the impact would be better, if that email > > came from some trusted entity like the RIR relevant to the affected > > IP holder instead of a random entity they never had any contact > > before (us). > > > > Asking RIRs to reach out to their members also scales better since > > every RIR would only have to take care of their own members. > [...] > > > i don't know that the contacts the RIR has for the entity is necessarily the > one that controls/deals-with the RPKI data though.
It sort of has to be, as managing your RPKI data (at least in the ARIN region) involves doing it through your ARIN On-Line account which must be associated with the ORG associated with the resources in question. > I also think that generally if folk set all that up they probably know (or > will soon enough) that they have a mistake. You overestimate some things here. > Generally speaking, I think "folk should fix themselves, and maintain/monitor > their configuration", that ARIN (or anyone else sending 'unsolicited email') > here is going to end badly in the worst case and 'not have any effect' in the > majority of cases. Agreed. > > [1] https://medium.com/@nusenu/towards-cleaning-up-rpki-invalids-d69b03ab8a8c > <https://medium.com/@nusenu/towards-cleaning-up-rpki-invalids-d69b03ab8a8c> > > > > Why can't (or why isn't) this something that 'many' > > monitoring/alerting companies/orgs are offering? > > There are companies offering BGP monitoring including RPKI ROAs, but > the affected IP holders are unlikely customers of those monitoring > services or generally aware of the problem. > > > ok, maybe they should though? :) I love a good tautology. > > > it's unclear, to me, why ARIN is in any better position than any > > other party to perform this sort of activity? I would expect that, at > > the base level, "I just got random/unexpected email from ARIN?" will > > get dropped in the spam-can, while: "My monitoring company to which I > > signed up/contracted emailed into my ticket-system for action.. > > better go do something!" is the path to incentivize. > > The problem is how do you make operators aware of the problem in the first > place. > > > ideally they are aware of thier own config, have a person(s) responsible for > managing that configuration and care about reachability... if they don't > have that today, they will soon enough. Optimist! Owen