Re: Out of ideas - Comcast issue BGP peering with Tata
Hi friend, Any idea how many segments are in routing table which are still not part of RIR holder ship ? Regards, Gaurav Kansal > On 22-Nov-2023, at 07:40, nanog@nanog.org wrote: > >> >>> Special note, deprecation of non-authoritative registries >>> >>> Please note that 'route' and 'route6' objects created after 2023-Aug-15 in >>> non-authoritative registries like RADB, NTTCOM, ALTDB won't be processed. >>> It is recommended to create RPKI ROA objects instead. In rare cases if >>> that's not possible, 'route' and 'route6' must be created in the >>> authoritative registry - AfriNIC, APNIC, ARIN, LACNIC, RIPE, RIPE, NIC.br >>> or IDNIC. >> > > So basically, a giant #@*&$^ you to any legacy holders that aren’t paying an > RIR. > > Great!! > > Thanks, Tata >
Re: Out of ideas - Comcast issue BGP peering with Tata
> >> Special note, deprecation of non-authoritative registries >> >> Please note that 'route' and 'route6' objects created after 2023-Aug-15 in >> non-authoritative registries like RADB, NTTCOM, ALTDB won't be processed. It >> is recommended to create RPKI ROA objects instead. In rare cases if that's >> not possible, 'route' and 'route6' must be created in the authoritative >> registry - AfriNIC, APNIC, ARIN, LACNIC, RIPE, RIPE, NIC.br or IDNIC. > So basically, a giant #@*&$^ you to any legacy holders that aren’t paying an RIR. Great!! Thanks, Tata
Re: Your Input Needed: Can ROA Replace LOA? ? Short Survey (7 mins)
> On Nov 17, 2023, at 07:02, Tom Beecher wrote: > >> Therefore, Cogent currently does not have and is not member of ARIN. It >> refuses to sign contract with ARIN and currently Cogent is not bound by this >> RUD rules and regulations. >> >> There is one downfall to not being ARIN member, Cogent cannot currently >> issue ROAs or RPKIs. They only update RIR in ROADB database for the leased >> out IP addresses. > > Not entirely accurate. > > Cogent Communications is already a General Member of ARIN. You can see that > for yourself here : https://account.arin.net/public/member-list . > *Membership* is not a prerequisite for anything RPKI. Membership is not, but… You can’t have ARIN resources under contract without also getting membership along with them any more, so, effectively, you can’t get RPKI without membership. However, just because you are a member doesn't mean you can get RPKI for all of your resources… Indeed, you can only get RPKI for your resources under ARIN contract. > ARIN requires an RSA or LRSA in place covering a number resource before they > will be the trust anchor for that number resource. In the design of RPKI, > this should make logical sense. Many legacy resource holders have their own > reasons on why they chose not to sign an LRSA for those resources, so there > is a chicken/egg problem here. Interestingly, RIPE-NCC will issue RPKI for non-contracted resources if they have a sponsoring LIR. Generally this means paying 70-100EU/year/resource to some RIPE member (who ends up passing 50EU of that to RIPE as part of their annual fees). LIR Prices vary greatly, so be prepared to negotiate. Or just don’t bother with RPKI, you’re not really missing anything. Owen
Re: DoD contact
Might not be helpful to everyone here, but if you are American you can go through your US representative. I’ve escalated an issue with a US gov network exactly once for a v6 issue through my senator and I got an email back from the correct team 2 days later, so YMMV.-Dan MarksOn Nov 21, 2023, at 10:08, Scott Q. wrote: Can anyone recommend a preferred method for contacting the network folks at the DoD ?It seems they blanket banned large swaths of our upstream provider ( Aptum AS 13768 ) which includes all of our subnets as well.We can't connect to any IP that they manage which includes DNS resolution for .mil , mail service, etc.I tried reaching out ( and Aptum as well ) to disa.columbus.ns.mbx.hostmaster-dod-...@mail.mil from an external address and although the e-mail didn't bounce, we also didn't receive any answer for a few days now.Is there another way to get in touch with them ?Thanks!Scott
Re: Generally accepted BGP acceptance criteria?
Thus spake Tom Samplonius (t...@samplonius.org) on Mon, Nov 20, 2023 at 07:02:52PM -0800: > > On Nov 17, 2023, at 6:58 AM, Christopher Morrow > > wrote: > > IRR filters provide control over whom is provided reachability through > > a particular peering/path. > > How does that work? IRR import: and export: parameters are poorly > implemented. Is anyone actually validating more than the origin with IRR? I think "validating" is the wrong verb for IRR. "Provisioning" may be more accurate. As an example, my AS293 peers with AS6509. In the AS-SET that they publish, AS6509:AS-CANARIE, the "members:" field for instance lists AS271:AS-BCNET-MEMBERS which then lists AS271 in it's members. An inverse query to an IRR whois server from such a tool as 'bgpq4' walks this tree to generate a list of prefixes applicable to in effect, a given path presuming you know what IRR object to start with. That is where import/export typically comes into play. RPSL's 'import:' and 'export:' (and the mp-variants) are problematic at best to use programmatically. Our provisioning system for example doesn't bother and uses the IRR object specified in PeeringDB for filter generation by default. Dale
DoD contact
Can anyone recommend a preferred method for contacting the network folks at the DoD ? It seems they blanket banned large swaths of our upstream provider ( Aptum AS 13768 ) which includes all of our subnets as well. We can't connect to any IP that they manage which includes DNS resolution for .mil , mail service, etc. I tried reaching out ( and Aptum as well ) to disa.columbus.ns.mbx.hostmaster-dod-...@mail.mil from an external address and although the e-mail didn't bounce, we also didn't receive any answer for a few days now. Is there another way to get in touch with them ? Thanks! Scott
Re: Generally accepted BGP acceptance criteria?
> On Nov 17, 2023, at 6:58 AM, Christopher Morrow > wrote: > >> On Thu, Nov 16, 2023 at 9:31 PM Tom Samplonius wrote: > >>> The most surprising thing in the DE-DIX flow chart, was that they check >>> that the origin AS exists in the IRR as-set, before doing RPKI, and if the >>> set existence fails, they reject the route. I don’t see a problem with >>> this, as maintaining as-sets is easy, but it does prevent an eventual 100% >>> RPKI future with no IRR at all. > > I don't think the future is ever really 'no irr'. > * RPKI provides: "a cryptographically verifiable method to determine > authority to use ip number resources" > * OriginValidation provides: "A route origin authorization > 'database' for use eventually on BGP speakers" Those both amount to the ability to originate a prefix though. > IRR filters provide control over whom is provided reachability through > a particular peering/path. How does that work? IRR import: and export: parameters are poorly implemented. Is anyone actually validating more than the origin with IRR? > (dale points this out as well, particularly the part about paths he points > out) Tom
Re: Advantages and disadvantages of legacy assets
On Mon, Nov 20, 2023 at 3:25 PM o...@delong.com wrote: > > It’s unlikely that lack of RPKI will be a significant drawback for the > foreseeable future. > It is actually. The older Orgs I manage all have RIR-based IRR and RPKI. Thanks all for the answers
Re: Advantages and disadvantages of legacy assets
On Mon, Nov 20, 2023 at 10:59 AM Eric Dugas via NANOG wrote: > Let's say you inherit legacy assets (ASN & IPv4 netblock), what are the first > advantages that come to mind (beside not having to pay annual fees). > > Any disadvantages? The ones I can think of is the lack of RIR routing > security services (in the ARIN region at least). No IRR, no RPKI at all. Hi Eric, Disadvantages: Expensive IRR. No RPKI. No vote in ARIN elections. No legal clarity regarding the status of your resources. Advantages: Free. No legal clarity regarding the status of your resources. I listed legal clarity as both an advantage and disadvantage. When you sign the ARIN registration services agreement (RSA) you get legal clarity: you are bound by the Number Resource Policy Manual (NRPM) which is subject to change with the approval of the ARIN Board of Trustees which usually follows but is not required to follow a fungible community consensus process. Don't like a change? Too bad. You can deal with it or you can cancel your ARIN contract. If you cancel your contract ARIN reclaims the IP addresses and you have no legal recourse whatsoever. Not that ARIN would ever behave badly. They're good people who earnestly endeavor to do right by the community. But if that changes tomorrow, you'll have no recourse. Skip signing and you have whatever common law rights you have to the IP addresses. Whatever those are. When InterNIC, acting as an agent of the U.S. Government, granted the addresses decades ago, they didn't spend a lot of (or really any) words on the question of legal rights. It hasn't been well tested in court. ARIN claims that the NRPM applies to you anyway, but as a matter of history no provision of the NRPM has ever been adversely applied to the legitimate holder of a then-legacy resource. Not even once. The legal foundation for a claim that it can be is weak at best. The legal risk to ARIN, should it ever attempt to do so, is not trivial. In a nutshell, you can either have a lack of clarity as to your rights or you can clearly have no rights. Regards, Bill Herrin -- William Herrin b...@herrin.us https://bill.herrin.us/