[ARIN-consult] [EXTERNAL] - Consultation on Pending Functionality for Automatic Creation of IRR Route Objects for Uncovered ROAs

Thu Aug 10 18:41:44 EDT 2023

>- Should the automatic creation of IRR route objects for resources that have RPKI ROAs be compulsory, the default setting, or require explicit opt-in?

Opt-in at the Organization level.
Opting in should not remove existing IRR route(6) objects that do not match a ROA though it would probably be useful to highlight any differences between IRR data and ROAs, possibly with an option to fully align the IRR data with the ROA.  (ie "The following IRR route(6) objects either match or are more specifics of the prefix in this ROA, click here to remove all the IRR route(6) objects that do not match the prefix in the ROA.  The non-matching IRR route(6) objects can be managed separately from the ROA.")

> - Should IRR Objects be managed via a direct linkage to a ROAs such that they can only be deleted through deletion of the covering ROA, or should ARIN continue to support independent management of IRR route objects?

Should be independent for existing IRR route(6) objects.
Automatically created IRR route(6) objects should probably be managed directly from the ROA that triggered the creation.

>- If so, what is the anticipated benefit of doing so? Conversely, if this functionality is not desired, why not?

Abundance of caution, especially for existing IRR route(6) objects.

> - If a customer agrees to link a ROA with the IRR, what is the appropriate number of route objects that should be created based on the ROA prefix and max length configuration? Would a "least specific" route object meet expectations?

I think that creating a single "least specific" route object per ROA is the best approach.  Probably worthwhile having a message along the lines of "This ROA includes a max length value different from the prefix mask.  The system has created an IRR route(6) object corresponding to the prefix mask which supports the most common use cases.  Additional IRR route(6) objects can be directly created if needed."

Miles McCredie 
Principal Network Engineer II-Core IP 
Office: 6052755192 
Miles.McCredie at midco.com 
Midco.com 
-----Original Message-----
From: ARIN-consult <arin-consult-bounces at arin.net> On Behalf Of ARIN
Sent: Thursday, August 10, 2023 2:32 PM
To: arin-consult at arin.net
Subject: [EXTERNAL] - [ARIN-consult] Consultation on Pending Functionality for Automatic Creation of IRR Route Objects for Uncovered ROAs

CAUTION: This email originated from outside of MIDCO.
Do not click links or open attachments unless you recognize the sender and know the content is safe.

Dear ARIN Community,

ARIN is seeking feedback from the community regarding a specific aspect of the recent ARIN Online functionality that was deployed on 7 August 2023. This upgrade to ARIN Online brought several new features - including tighter integration of ARIN's Resource Public Key Infrastructure (RPKI) and Internet Routing Registry (IRR) routing security services.

Upon further review and out of an abundance of caution, we have decided to pause the additional functionality that creates corresponding IRR Route Objects for every Route Origin Authorization (ROA) created. We have also paused the functionality that automatically creates IRR Route Objects for all preexisting ROAs that presently lack a matching Route Object. We recognize the importance of ensuring that our services align with the needs and expectations of our community and believe that additional time for community consultation on this integration functionality is warranted.

The current development plan is to provide an opt-in feature to allow for the creation of IRR Route Objects during new ROA creation in the near future. We are seeking operator input through this community consultation (https://www.arin.net/participate/community/acsp/consultations/2023/2023-4/) to gather input on the desirability of additional functionality related to integrating RPKI and IRR security services.

The questions for community consideration are:

- Should the automatic creation of IRR route objects for resources that have RPKI ROAs be compulsory, the default setting, or require explicit opt-in?

- Should IRR Objects be managed via a direct linkage to a ROAs such that they can only be deleted through deletion of the covering ROA, or should ARIN continue to support independent management of IRR route objects?

- Should ARIN automatically create managed IRR Route Objects for all validated ROAs in the Hosted RPKI repository that do not have matching IRR Route Objects today?

- If so, what is the anticipated benefit of doing so? Conversely, if this functionality is not desired, why not?

- If a customer agrees to link a ROA with the IRR, what is the appropriate number of route objects that should be created based on the ROA prefix and max length configuration? Would a "least specific" route object meet expectations?

We sincerely apologize for any inconvenience that pausing this functionality may have caused and appreciate your understanding as we work to ensure that our services are aligned with the interests of the community.

I encourage all community members to provide their comments and feedback on this matter - the feedback you provide during this consultation will be instrumental in determining how ARIN moves forward with this RPKI/IRR integration functionality.

Please provide comments to arin-consult at arin.net. You can subscribe to this mailing list at https://lists.arin.net/mailman/listinfo/arin-consult

This consultation will remain open until 5:00 PM ET on 10 September 2023. ARIN seeks clear direction through community input, so your feedback is important.

Thank you for your continued support and engagement.

Regards,

John Curran
President and CEO
American Registry for Internet Numbers (ARIN)

_______________________________________________
ARIN-Consult
You are receiving this message because you are subscribed to the ARIN Consult Mailing List (ARIN-consult at arin.net).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN Member Services Help Desk at info at arin.net if you experience any issues.