<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-ligatures:none">The questions for community consideration are:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-ligatures:none"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-ligatures:none">- Should the automatic creation of IRR route objects for resources that have RPKI ROAs be compulsory, the default setting, or require explicit opt-in?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-ligatures:none"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-ligatures:none">A: I believe either and opt-in or opt-out option would be best per ORGID<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-ligatures:none"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-ligatures:none">- Should IRR Objects be managed via a direct linkage to a ROAs such that they can only be deleted through deletion of the covering ROA, or should ARIN
continue to support independent management of IRR route objects?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-ligatures:none"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-ligatures:none">A: If opt-in/out is adopted, this could be set by that option. If opt-in is selected, it could be a direct link with no manual management. If opt-out,
manual management is required.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-ligatures:none"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-ligatures:none">- Should ARIN automatically create managed IRR Route Objects for all validated ROAs in the Hosted RPKI repository that do not have matching IRR Route
Objects today?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-ligatures:none"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-ligatures:none">A: It seems this could also be set to opt-in/out, based upon the response to the first question. If opt-out of auto-creation, it seems this would be
moot.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-ligatures:none"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-ligatures:none">- If so, what is the anticipated benefit of doing so? Conversely, if this functionality is not desired, why not?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-ligatures:none"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-ligatures:none">A: That would be based upon the IPAM manager for the ORG to define for themselves, based upon options selected. Personally, I can see a benefit for
those Tier 1’s and other peers that create their import policies based upon IRR objects.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-ligatures:none"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-ligatures:none">- If a customer agrees to link a ROA with the IRR, what is the appropriate number of route objects that should be created based on the ROA prefix and
max length (ML) configuration? Would a “least specific” route object meet expectations?<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">A: So, I agree there is a maximum, especially for IPv6. I just found out the other week that Google (and only Google to the best of my knowledge), will bypass ARIN Direct Allocation (DA) of a block, and prefer stale RADb route objects.
That is, we own the supernet, but Google will not take that into consideration when we peer direct to them, they will look at [very old] RADb route objects if there is a subnet match and we don’t have a route record in RADb or ARIN. As RADb is “open” and allows
anyone to create a route object for any IP and origination AS, this opens our 57M v4 iP’s to easy attack if we don’t have a route record for every possible prefix we own. This creates a new vector of attack created solely by Google for our owned IP’s to access
Google resources. Also, since we have 100K employees, and most anyone in networking can create a prefix tagged appropriately and leaked to the Internet, in managing IP’s we have no way to limit what is routed and leaked. We would have to play whack-a-mole
trying to keep up.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">That in mind, and I think that if more than 256 (or nnn?) IRR route objects are to be created, a message should be presented to the requester informing them of what they are asking. I should say, we don’t like to use ML expect in very isolated
cases where we’d be playing whack-a-mole if we tried to cover all /48’s of a /32 for our business class customers. That said, we still have to act responsibly and understand the consequences such as Forged Origin attacks:
<a href="https://datatracker.ietf.org/doc/html/rfc9319">https://datatracker.ietf.org/doc/html/rfc9319</a>. So, you want to know the “specific” number, and I honestly don’t have a suggestion, but how about this, if ML is used, ask the question something like,
“Using an ML value greater than the mask creates the potential for subnets leaked to the Internet. Do you want to create IRR route objects for each candidate subnet, or create a route object for only the parent aggregate?”<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#00629B;mso-ligatures:none">Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="color:#00629B;mso-ligatures:none"><o:p> </o:p></span></b></p>
<p class="MsoNormal"><b><span style="color:#00629B"><img border="0" width="140" height="44" style="width:1.4583in;height:.4583in" id="Picture_x0020_1" src="cid:image001.png@01D9CC44.34C35800" alt="Charter_Email Signature_Logo"></span></b><b><span style="font-size:14.0pt;color:#2E74B5;mso-ligatures:none"><o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:14.0pt;color:#2E74B5;mso-ligatures:none"><o:p> </o:p></span></b></p>
<p class="MsoNormal" style="background:white"><b><span style="color:#2E74B5;mso-ligatures:none">-------------------------------------------------------------------------------------------------------------------------------------<o:p></o:p></span></b></p>
<p class="MsoNormal" style="background:white"><b><span style="color:#2E74B5;mso-ligatures:none">CHUCK HAUGE
</span></b><span style="color:#2E74B5;mso-ligatures:none">| CCNP, MBA | <b>IP Management -
</b>Systems Engineer IV | c. 303.915.5512 | </span><span style="font-size:9.0pt;color:#2E74B5;mso-ligatures:none">o. 303.323.6056</span><span style="color:#2E74B5;mso-ligatures:none"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN" style="color:#2E74B5;mso-ligatures:none"> 6175 South Willow Drive | Greenwood Village, CO 80111<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><b><span style="color:#2E74B5;mso-ligatures:none">-------------------------------------------------------------------------------------------------------------------------------------<o:p></o:p></span></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>