Hi,
Some folks asked if I can share today's output of the tool for all ASNs,
here it is:
http://instituut.net/~job/ripe-proposal-2018-06-output.txt
Kind regards,
Job
On Wed, Mar 06, 2019 at 12:51:25PM +0000, Job Snijders wrote:
> Dear all,
>
> I wrote a small tool to help understand the effects if RIPE Policy
> Proposal 2018-06 is accepted by the community. This is the "Let's use
> RPKI ROAs to clean up the non-authoritative RIPE-NONAUTH IRR
> source!"-proposal (source:
> https://www.ripe.net/participate/policies/proposals/2018-06).
> The tool can also be used by RIPE NCC staff to validate their
> implementation or help their impact analysis.
>
> Quick reminder: this proposal does *not* impact any RIPE Managed space,
> this does *not* impact IP space for which no RPKI ROAs have or can be
> created, and it does *not* impact route objects where the route object
> and the RPKI ROA are match each other.
>
> Currently there are 793 IRR "route:" objects and 17 "route6:" objects
> that conflict with published RPKI ROAs. Out of those ~ 800, roughly 33
> prefixes are visible in the BGP DFZ as exact matches between what is
> registered in RIPE-NONAUTH and in BGP (note: this means these 33
> announcements are "RPKI Invalid", and the likes of Cloudflare / AT&T
> probably aren't accepting those announcements anyway)...
>
> You can install the tool through 'pip3 install ripe-proposal-2018-06', or
> download the source from https://github.com/job/ripe-proposal-2018-06
>
> Usage example:
>
> $ ripe-proposal-2018-06 -a 7018
> Downloading https://rpki.gin.ntt.net/api/export.json
> Downloading https://ftp.ripe.net/ripe/dbase/split/ripe-nonauth.db.route.gz
>
> INVALID! The 99.122.224.0/21AS1273 RIPE-NONAUTH route object has
> conflicts:
>
> route: 99.122.224.0/21
> descr: route for customer Akamai International
> origin: AS1273
> created: 2008-09-08T14:40:49Z
> last-modified: 2018-09-04T15:54:45Z
> source: RIPE-NONAUTH
> mnt-by: CW-EUROPE-GSOC
>
> Above non-authoritative IRR object is in conflict with this ROA:
> ROA: 99.112.0.0/12, MaxLength: 12, Origin AS7018 (ARIN)
>
> Note that AT&T has no method of getting this erroneous "route:" object
> removed, other than to beg & plead with maintainer 'CW-EUROPE-GSOC'.
>
> We're working on an updated version of RIPE Policy Proposal 2018-06 to
> incorporate feedback from the community, such as an attempt to send
> notifications and a grace period before the object is actually removed.
>
> All in all it appears that if this policy proposal is deployed *now*,
> the operational impact is virtually non-existent; and after deploying
> this the global community has an industry-standard way to get rid of
> stale proxy route registrations. With every published ROA the
> "RIPE-NONAUTH" source becomes cleaner!
>
> Kind regards,
>
> Job
