Analysis tool for RIPE Proposal 2018-06
Dear all, I wrote a small tool to help understand the effects if RIPE Policy Proposal 2018-06 is accepted by the community. This is the "Let's use RPKI ROAs to clean up the non-authoritative RIPE-NONAUTH IRR source!"-proposal (source: https://www.ripe.net/participate/policies/proposals/2018-06). The tool can also be used by RIPE NCC staff to validate their implementation or help their impact analysis. Quick reminder: this proposal does *not* impact any RIPE Managed space, this does *not* impact IP space for which no RPKI ROAs have or can be created, and it does *not* impact route objects where the route object and the RPKI ROA are match each other. Currently there are 793 IRR "route:" objects and 17 "route6:" objects that conflict with published RPKI ROAs. Out of those ~ 800, roughly 33 prefixes are visible in the BGP DFZ as exact matches between what is registered in RIPE-NONAUTH and in BGP (note: this means these 33 announcements are "RPKI Invalid", and the likes of Cloudflare / AT&T probably aren't accepting those announcements anyway)... You can install the tool through 'pip3 install ripe-proposal-2018-06', or download the source from https://github.com/job/ripe-proposal-2018-06 Usage example: $ ripe-proposal-2018-06 -a 7018 Downloading https://rpki.gin.ntt.net/api/export.json Downloading https://ftp.ripe.net/ripe/dbase/split/ripe-nonauth.db.route.gz INVALID! The 99.122.224.0/21AS1273 RIPE-NONAUTH route object has conflicts: route: 99.122.224.0/21 descr: route for customer Akamai International origin: AS1273 created: 2008-09-08T14:40:49Z last-modified: 2018-09-04T15:54:45Z source: RIPE-NONAUTH mnt-by: CW-EUROPE-GSOC Above non-authoritative IRR object is in conflict with this ROA: ROA: 99.112.0.0/12, MaxLength: 12, Origin AS7018 (ARIN) Note that AT&T has no method of getting this erroneous "route:" object removed, other than to beg & plead with maintainer 'CW-EUROPE-GSOC'. We're working on an updated version of RIPE Policy Proposal 2018-06 to incorporate feedback from the community, such as an attempt to send notifications and a grace period before the object is actually removed. All in all it appears that if this policy proposal is deployed *now*, the operational impact is virtually non-existent; and after deploying this the global community has an industry-standard way to get rid of stale proxy route registrations. With every published ROA the "RIPE-NONAUTH" source becomes cleaner! Kind regards, Job
Hi, I support this clean-up of RIPE-NONAUTH IRR using information published in the RPKI. AT&T has been allocated 99.112.0.0/12, and we have not sub-allocated 99.122.224.0/21 to Akamai, CW-EUROPE-GSOC, AS1273, or anyone. Folks are encouraged to use the ROA we have published for 99.112.0.0/12 authorizing origination in our as7018 in all ways that make sense, including removing bogus / obsolete route objects from the IRR. Thanks! Jay B. On 06-March-2019, Job Snijders writes:
Dear all,
I wrote a small tool to help understand the effects if RIPE Policy Proposal 2018-06 is accepted by the community. This is the "Let's use RPKI ROAs to clean up the non-authoritative RIPE-NONAUTH IRR source!"-proposal (source: https://www.ripe.net/participate/policies/proposals/2018-06). The tool can also be used by RIPE NCC staff to validate their implementation or help their impact analysis.
Quick reminder: this proposal does *not* impact any RIPE Managed space, this does *not* impact IP space for which no RPKI ROAs have or can be created, and it does *not* impact route objects where the route object and the RPKI ROA are match each other.
Currently there are 793 IRR "route:" objects and 17 "route6:" objects that conflict with published RPKI ROAs. Out of those ~ 800, roughly 33 prefixes are visible in the BGP DFZ as exact matches between what is registered in RIPE-NONAUTH and in BGP (note: this means these 33 announcements are "RPKI Invalid", and the likes of Cloudflare / AT&T probably aren't accepting those announcements anyway)...
You can install the tool through 'pip3 install ripe-proposal-2018-06', or download the source from https://github.com/job/ripe-proposal-2018-06
Usage example:
$ ripe-proposal-2018-06 -a 7018 Downloading https://rpki.gin.ntt.net/api/export.json Downloading https://ftp.ripe.net/ripe/dbase/split/ripe-nonauth.db.route.gz
INVALID! The 99.122.224.0/21AS1273 RIPE-NONAUTH route object has conflicts:
route: 99.122.224.0/21 descr: route for customer Akamai International origin: AS1273 created: 2008-09-08T14:40:49Z last-modified: 2018-09-04T15:54:45Z source: RIPE-NONAUTH mnt-by: CW-EUROPE-GSOC
Above non-authoritative IRR object is in conflict with this ROA: ROA: 99.112.0.0/12, MaxLength: 12, Origin AS7018 (ARIN)
Note that AT&T has no method of getting this erroneous "route:" object removed, other than to beg & plead with maintainer 'CW-EUROPE-GSOC'.
We're working on an updated version of RIPE Policy Proposal 2018-06 to incorporate feedback from the community, such as an attempt to send notifications and a grace period before the object is actually removed.
All in all it appears that if this policy proposal is deployed *now*, the operational impact is virtually non-existent; and after deploying this the global community has an industry-standard way to get rid of stale proxy route registrations. With every published ROA the "RIPE-NONAUTH" source becomes cleaner!
Kind regards,
Job
This almost looks like a typo, I can’t find any historical information tying this route to Akamai going back to at least 2009. It would be nice if this object could go away :-) - Jared
On Mar 6, 2019, at 9:55 AM, Jay Borkenhagen <jayb@braeburn.org> wrote:
Hi,
I support this clean-up of RIPE-NONAUTH IRR using information published in the RPKI.
AT&T has been allocated 99.112.0.0/12, and we have not sub-allocated 99.122.224.0/21 to Akamai, CW-EUROPE-GSOC, AS1273, or anyone. Folks are encouraged to use the ROA we have published for 99.112.0.0/12 authorizing origination in our as7018 in all ways that make sense, including removing bogus / obsolete route objects from the IRR.
Thanks!
Jay B.
On 06-March-2019, Job Snijders writes:
Dear all,
I wrote a small tool to help understand the effects if RIPE Policy Proposal 2018-06 is accepted by the community. This is the "Let's use RPKI ROAs to clean up the non-authoritative RIPE-NONAUTH IRR source!"-proposal (source: https://www.ripe.net/participate/policies/proposals/2018-06). The tool can also be used by RIPE NCC staff to validate their implementation or help their impact analysis.
Quick reminder: this proposal does *not* impact any RIPE Managed space, this does *not* impact IP space for which no RPKI ROAs have or can be created, and it does *not* impact route objects where the route object and the RPKI ROA are match each other.
Currently there are 793 IRR "route:" objects and 17 "route6:" objects that conflict with published RPKI ROAs. Out of those ~ 800, roughly 33 prefixes are visible in the BGP DFZ as exact matches between what is registered in RIPE-NONAUTH and in BGP (note: this means these 33 announcements are "RPKI Invalid", and the likes of Cloudflare / AT&T probably aren't accepting those announcements anyway)...
You can install the tool through 'pip3 install ripe-proposal-2018-06', or download the source from https://github.com/job/ripe-proposal-2018-06
Usage example:
$ ripe-proposal-2018-06 -a 7018 Downloading https://rpki.gin.ntt.net/api/export.json Downloading https://ftp.ripe.net/ripe/dbase/split/ripe-nonauth.db.route.gz
INVALID! The 99.122.224.0/21AS1273 RIPE-NONAUTH route object has conflicts:
route: 99.122.224.0/21 descr: route for customer Akamai International origin: AS1273 created: 2008-09-08T14:40:49Z last-modified: 2018-09-04T15:54:45Z source: RIPE-NONAUTH mnt-by: CW-EUROPE-GSOC
Above non-authoritative IRR object is in conflict with this ROA: ROA: 99.112.0.0/12, MaxLength: 12, Origin AS7018 (ARIN)
Note that AT&T has no method of getting this erroneous "route:" object removed, other than to beg & plead with maintainer 'CW-EUROPE-GSOC'.
We're working on an updated version of RIPE Policy Proposal 2018-06 to incorporate feedback from the community, such as an attempt to send notifications and a grace period before the object is actually removed.
All in all it appears that if this policy proposal is deployed *now*, the operational impact is virtually non-existent; and after deploying this the global community has an industry-standard way to get rid of stale proxy route registrations. With every published ROA the "RIPE-NONAUTH" source becomes cleaner!
Kind regards,
Job
Hi, I support 2018-06. This cleanup is a very good idea! (this proposal is originally from Oct'2018) Is there any special reason to be "stuck"? Best Regards, Carlos On Wed, 6 Mar 2019, Jay Borkenhagen wrote:
Hi,
I support this clean-up of RIPE-NONAUTH IRR using information published in the RPKI.
AT&T has been allocated 99.112.0.0/12, and we have not sub-allocated 99.122.224.0/21 to Akamai, CW-EUROPE-GSOC, AS1273, or anyone. Folks are encouraged to use the ROA we have published for 99.112.0.0/12 authorizing origination in our as7018 in all ways that make sense, including removing bogus / obsolete route objects from the IRR.
Thanks!
Jay B.
On 06-March-2019, Job Snijders writes:
Dear all,
I wrote a small tool to help understand the effects if RIPE Policy Proposal 2018-06 is accepted by the community. This is the "Let's use RPKI ROAs to clean up the non-authoritative RIPE-NONAUTH IRR source!"-proposal (source: https://www.ripe.net/participate/policies/proposals/2018-06). The tool can also be used by RIPE NCC staff to validate their implementation or help their impact analysis.
Quick reminder: this proposal does *not* impact any RIPE Managed space, this does *not* impact IP space for which no RPKI ROAs have or can be created, and it does *not* impact route objects where the route object and the RPKI ROA are match each other.
Currently there are 793 IRR "route:" objects and 17 "route6:" objects that conflict with published RPKI ROAs. Out of those ~ 800, roughly 33 prefixes are visible in the BGP DFZ as exact matches between what is registered in RIPE-NONAUTH and in BGP (note: this means these 33 announcements are "RPKI Invalid", and the likes of Cloudflare / AT&T probably aren't accepting those announcements anyway)...
You can install the tool through 'pip3 install ripe-proposal-2018-06', or download the source from https://github.com/job/ripe-proposal-2018-06
Usage example:
$ ripe-proposal-2018-06 -a 7018 Downloading https://rpki.gin.ntt.net/api/export.json Downloading https://ftp.ripe.net/ripe/dbase/split/ripe-nonauth.db.route.gz
INVALID! The 99.122.224.0/21AS1273 RIPE-NONAUTH route object has conflicts:
route: 99.122.224.0/21 descr: route for customer Akamai International origin: AS1273 created: 2008-09-08T14:40:49Z last-modified: 2018-09-04T15:54:45Z source: RIPE-NONAUTH mnt-by: CW-EUROPE-GSOC
Above non-authoritative IRR object is in conflict with this ROA: ROA: 99.112.0.0/12, MaxLength: 12, Origin AS7018 (ARIN)
Note that AT&T has no method of getting this erroneous "route:" object removed, other than to beg & plead with maintainer 'CW-EUROPE-GSOC'.
We're working on an updated version of RIPE Policy Proposal 2018-06 to incorporate feedback from the community, such as an attempt to send notifications and a grace period before the object is actually removed.
All in all it appears that if this policy proposal is deployed *now*, the operational impact is virtually non-existent; and after deploying this the global community has an industry-standard way to get rid of stale proxy route registrations. With every published ROA the "RIPE-NONAUTH" source becomes cleaner!
Kind regards,
Job
Hi, Some folks asked if I can share today's output of the tool for all ASNs, here it is: http://instituut.net/~job/ripe-proposal-2018-06-output.txt Kind regards, Job On Wed, Mar 06, 2019 at 12:51:25PM +0000, Job Snijders wrote:
Dear all,
I wrote a small tool to help understand the effects if RIPE Policy Proposal 2018-06 is accepted by the community. This is the "Let's use RPKI ROAs to clean up the non-authoritative RIPE-NONAUTH IRR source!"-proposal (source: https://www.ripe.net/participate/policies/proposals/2018-06). The tool can also be used by RIPE NCC staff to validate their implementation or help their impact analysis.
Quick reminder: this proposal does *not* impact any RIPE Managed space, this does *not* impact IP space for which no RPKI ROAs have or can be created, and it does *not* impact route objects where the route object and the RPKI ROA are match each other.
Currently there are 793 IRR "route:" objects and 17 "route6:" objects that conflict with published RPKI ROAs. Out of those ~ 800, roughly 33 prefixes are visible in the BGP DFZ as exact matches between what is registered in RIPE-NONAUTH and in BGP (note: this means these 33 announcements are "RPKI Invalid", and the likes of Cloudflare / AT&T probably aren't accepting those announcements anyway)...
You can install the tool through 'pip3 install ripe-proposal-2018-06', or download the source from https://github.com/job/ripe-proposal-2018-06
Usage example:
$ ripe-proposal-2018-06 -a 7018 Downloading https://rpki.gin.ntt.net/api/export.json Downloading https://ftp.ripe.net/ripe/dbase/split/ripe-nonauth.db.route.gz
INVALID! The 99.122.224.0/21AS1273 RIPE-NONAUTH route object has conflicts:
route: 99.122.224.0/21 descr: route for customer Akamai International origin: AS1273 created: 2008-09-08T14:40:49Z last-modified: 2018-09-04T15:54:45Z source: RIPE-NONAUTH mnt-by: CW-EUROPE-GSOC
Above non-authoritative IRR object is in conflict with this ROA: ROA: 99.112.0.0/12, MaxLength: 12, Origin AS7018 (ARIN)
Note that AT&T has no method of getting this erroneous "route:" object removed, other than to beg & plead with maintainer 'CW-EUROPE-GSOC'.
We're working on an updated version of RIPE Policy Proposal 2018-06 to incorporate feedback from the community, such as an attempt to send notifications and a grace period before the object is actually removed.
All in all it appears that if this policy proposal is deployed *now*, the operational impact is virtually non-existent; and after deploying this the global community has an industry-standard way to get rid of stale proxy route registrations. With every published ROA the "RIPE-NONAUTH" source becomes cleaner!
Kind regards,
Job
participants (4)
-
Carlos Friaças -
Jared Mauch -
Jay Borkenhagen -
Job Snijders