On Thu, May 6, 2021 at 7:07 PM Terry Sweetser via SIG Routing Security <sig-routingsecurity@apnic.net> wrote:
Hi SIGgers,

I don't see APNIC filtering (or not) as a major concern as they're not a transit provider.

I'll go even further -- I don't see why APNIC filtering or not is any of my/our business. 

APNIC exists to serve the community, and the APNIC network exists to make some services available to people. How the APNIC network engineers choose to do this is (IMO) 100% their decision. I don't tell them what brand of routers or servers or coffee to buy, and I don't see why they should care what my views on them dropping invalids.

If the question were instead "Should people coming from invalid prefixes be able to reach APNIC network services?" I might have a different answer -- but, that's a completely different (and much harder!) question.


"Not my circuit, not my monkeys..."

W
 

I am concerned with the quality of the data on https://stats.labs.apnic.net/rpki/, there are major sample count differences across the table for AU.

I'd love to see an explanation of the data set and how it is obtained.

Terry Sweetser,
Senior Engineer

ion Consulting Group Pty Ltd trading as io Networks
Level 5, 9 Sherwood Rd, Toowong, 4066
e. terry.sweetser@ionetworks.com.au
m. +61447069725
p. 1300 124 816
http://www.ionetworks.com.au


Experience and Knowledge, On-Call.

-----Original Message-----
From: Di Ma via SIG Routing Security <sig-routingsecurity@apnic.net>
Sent: Thursday, 6 May 2021 4:12 PM
To: Aftab Siddiqui <aftab.siddiqui@gmail.com>
Cc: sig-routingsecurity@apnic.net
Subject: [SIG-RoutingSecurity] Re: Should APNIC drop RPKI Invalids?


>
> along with several IXs in AU and SG (IX-AU, EQ-IX, Edge-IX and Mega-IX) and these IXs already drop RPKI invalids (EQX-IX may be). Vocus and Telstra also drop invalids. The question is, should APNIC just rely on upstream dropping the invalids or do it themselves?
>

APNIC-AS might as well do the validation if APNIC network think its upstreams may miss some rogue route announcements from the remote ISPs.

I think this is a kind of double-check.

Di
_______________________________________________
SIG Routing Security mailing list -- sig-routingsecurity@apnic.net To unsubscribe send an email to sig-routingsecurity-leave@apnic.net
_______________________________________________
SIG Routing Security mailing list -- sig-routingsecurity@apnic.net
To unsubscribe send an email to sig-routingsecurity-leave@apnic.net


--
The computing scientist’s main challenge is not to get confused by the
complexities of his own making.
  -- E. W. Dijkstra