[RPKI] Routinator repository blacklisted

[Slav Messetchkov]

Hi Lukas,

Thanks for the clarification. I didn't realize they're running Delegated RPKI (for a single /40 block!), but that makes sense. We'll review internally the alerting with that in mind.

Slav Messetchkov
Sr. Engineer Core Network & Service Development
SaskTel, TSI/NSD
ph: 306-777-1988
m: 604-516-9676

-----Original Message-----
From: Lukas Tribus <lukas at ltri.eu>
Sent: Tuesday, November 29, 2022 3:24 PM
To: Slav Messetchkov <slav.messetchkov at sasktel.com>
Cc: Alex Band <alex at nlnetlabs.nl>; rpki at lists.nlnetlabs.nl; Takaya Ono <takaya.ono at sasktel.com>; Kim Huartson <kim.huartson at sasktel.com>; Rick Wanner <rick.wanner at sasktel.com>
Subject: Re: [RPKI] Routinator repository blacklisted

EXTERNAL EMAIL: Be suspicious of content, links, and attachments.

On Tue, 29 Nov 2022 at 23:38, Slav Messetchkov via RPKI <rpki at lists.nlnetlabs.nl> wrote:
>
> Hi Alex,
>
> Thanks for your reply and clarifications!
>
> I'm still puzzled about what constitutes a "Repository" and how it is
> administered. I have trouble understanding how a tiny entity like
> mnihyc, publishing a single IPv6 /40 range can be listed together with ARIN, RIPE, and the likes.

They keyword here is delegated RPKI, I strongly suggest going through some of the following documents to get a better understanding of it:

https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Frpki.readthedocs.io%2Fen%2Flatest%2Frpki%2Fimplementation-models.html&data=05%7C01%7Cslav.messetchkov%40sasktel.com%7Cd4973d78892d4db1862b08dad260e665%7Ccb42ff00c2e141e891e9ca6fdc104885%7C1%7C0%7C638053610873185905%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=6kzIfoDvFrGQbKqc%2BrwxZcfsrclCS0hLoUQXUpoG%2Fmw%3D&reserved=0
https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ripe.net%2Fparticipate%2Fmeetings%2Fopen-house%2Fripe-ncc-open-house-hosted-vs-delegated-rpki&data=05%7C01%7Cslav.messetchkov%40sasktel.com%7Cd4973d78892d4db1862b08dad260e665%7Ccb42ff00c2e141e891e9ca6fdc104885%7C1%7C0%7C638053610873185905%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=tFKU3Shd%2Bi47ZVoiegsO0RXmeXOS1JEZcKprXzh7CQs%3D&reserved=0
https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.arin.net%2Fresources%2Fmanage%2Frpki%2Fdelegated%2F&data=05%7C01%7Cslav.messetchkov%40sasktel.com%7Cd4973d78892d4db1862b08dad260e665%7Ccb42ff00c2e141e891e9ca6fdc104885%7C1%7C0%7C638053610873185905%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=SwnWHE2BWO0GNOxtY0CFQr4bG%2BQ0FHcuACaMNdZcGfg%3D&reserved=0


Regarding your Spamhaus blocklist: AFAIK this list serves the purpose of protecting the end-user of spam/phishing and other malicious end-user threats. However a RPKI validator is not a browser, and a RTR client is not an end user. The goal of the spamhouse blocklist has nothing to do with RPKI validation and a RPKI validator does not belong behind a spamhouse protected DNS recursor, especially one that actively creates alerts when there are blacklist matches (which I assume triggered your investigation).

You wouldn't ask your car mechanic to wear a seat belt while changing the oil on your car, just because wearing a seat belt makes driving a vehicle on the street a lot safer.


- lukas
NOTICE: This confidential e-mail message is only for the intended recipients. If you are not the intended recipient, be advised that disclosing, copying, distributing, or any other use of this message, is strictly prohibited. In such case, please destroy this message and notify the sender.