nanog mailing list archives
[NANOG] Re: Are IXP route server operators filtering routes that lack authenticated route objects
From: "Barry O'Donovan (Open Solutions) via NANOG" <nanog () lists nanog org>
Date: Thu, 27 Mar 2025 13:44:24 +0000
Hi all,Malte’s email below is on point. The one addition I’d make is that most IXPs are not / would not use "non-authenticated IRRs” by default but rather on member request where they specify the IRRDB to query. This typically only happens for larger international networks rather than regional ones where they’d only be a member of a single RIR.
Also, IRR data should only come into play after RPKI validation returns ‘unknown’.
A standard algorithm is described here: https://docs.ixpmanager.org/latest/features/route-servers/#filtering-algorithm - Barry ------ Original Message ------ From "Malte Tashiro via NANOG" <nanog () lists nanog org> To nanog () lists nanog org Cc "Malte Tashiro" <malte () iij ad jp> Date 26/03/2025 03:20:08Subject [NANOG] Re: Are IXP route server operators filtering routes that lack authenticated route objects
On 3/22/25 01:53, Chris Woodfield via NANOG wrote:Fair point and you appear to be correct. I’ll caveat I’m speaking without concrete data, but I suspect that there are enough routes not held in RIR-hosted route servers that dropping the unauthenticated IRRs would be… impactful.In the RIPE Connect-WG there are efforts to establish a BCP document to only use RIR IRRs for filtering. As part of this there was a presentation at RIPE 88 [0] where someone from DE-CIX showed an impact analysis. Their takeaway is that dropping RADB would result in a loss of 11% of /24s and 250 Gbps traffic at peak, i.e., a significant amount. Other non-RIR IRRs contribute only a small amount. There is a follow-up mail thread with lots of discussion [1] (which also has the full BCP draft attached), and in my understanding it seems to be normal operating practice to use non-authenticated IRRs (especially RADB). So coming back to Steve's original question: On 3/21/25 22:29, Steven Wallace via NANOG wrote:Are many/any/most IXP route server operators filtering routes without authenticated (i.e., RIR-hosted) route objects?If there is filtering in place, it seems like many IXPs allow non-authenticated route objects. Best, Malte [0] Video: https://ripe88.ripe.net/archives/video/1356/ Slides: https://ripe88.ripe.net/wp-content/uploads/presentations/87-RIPE88_RS_Proposal_BCP_IRRDBs_1.2.pdf [1] https://mailman.ripe.net/archives/list/connect-wg () ripe net/thread/FGUT3D37HOP4KMMGN5A7XGCYJ5FFBZ6Z/
_______________________________________________NANOG mailing list https://lists.nanog.org/archives/list/nanog () lists nanog org/message/QZZQYOITVJ7H32N4DDFBSZ7SXB5OQXUK/
Current thread:
- [NANOG] Are IXP route server operators filtering routes that lack authenticated route objects Steven Wallace via NANOG (Mar 21)
- [NANOG] Re: Are IXP route server operators filtering routes that lack authenticated route objects Chris Woodfield via NANOG (Mar 21)
- [NANOG] Re: Are IXP route server operators filtering routes that lack authenticated route objects Steven Wallace via NANOG (Mar 21)
- [NANOG] Re: Are IXP route server operators filtering routes that lack authenticated route objects Chris Woodfield via NANOG (Mar 21)
- [NANOG] Re: Are IXP route server operators filtering routes that lack authenticated route objects Malte Tashiro via NANOG (Mar 27)
- [NANOG] Re: Are IXP route server operators filtering routes that lack authenticated route objects Rubens Kuhl via NANOG (Mar 27)
- [NANOG] Re: Are IXP route server operators filtering routes that lack authenticated route objects Barry O'Donovan (Open Solutions) via NANOG (Mar 27)
- [NANOG] Re: Are IXP route server operators filtering routes that lack authenticated route objects Steven Wallace via NANOG (Mar 21)
- [NANOG] Re: Are IXP route server operators filtering routes that lack authenticated route objects Chris Woodfield via NANOG (Mar 21)