Job Snijders
@jobsnijders.bsky.social
Internet routing system hacker-for-hire, active in OpenBSD & IETF
the 3 day version is even more entertaining - about half way through you start to see that there are apparently two dominant calendar systems at work
September 28, 2025 at 1:16 AM
the 3 day version is even more entertaining - about half way through you start to see that there are apparently two dominant calendar systems at work
Some of the noise might just be a quirk of the visualisation approach. If anything, to me it shows that most of RPKI’s automated systems favor issuing somewhere at the top of the hour! #cronjobs
September 27, 2025 at 11:37 PM
Some of the noise might just be a quirk of the visualisation approach. If anything, to me it shows that most of RPKI’s automated systems favor issuing somewhere at the top of the hour! #cronjobs
Because at say 14:00 there *no longer* are many current manifests around that were issued earlier at say 01:00. The animation is a “viewport” of the internal state of a validator throughout the day
September 27, 2025 at 11:34 PM
Because at say 14:00 there *no longer* are many current manifests around that were issued earlier at say 01:00. The animation is a “viewport” of the internal state of a validator throughout the day
Happy to come present in exchange for a flight ticket! :-)
April 29, 2025 at 8:45 AM
Happy to come present in exchange for a flight ticket! :-)
It went well at my last employer
April 26, 2025 at 10:08 AM
It went well at my last employer
if you’re using bgpq4, the filters it emits no longer contain any information derived from RPKI-invalid IRR objects, but conversely _do_ use synthesised IRR objects derived from RPKI ROAs (i take credit for bridging the two domains). In some ways the migration from IRR to RPKI already happened
April 25, 2025 at 6:23 PM
if you’re using bgpq4, the filters it emits no longer contain any information derived from RPKI-invalid IRR objects, but conversely _do_ use synthesised IRR objects derived from RPKI ROAs (i take credit for bridging the two domains). In some ways the migration from IRR to RPKI already happened
Even so, what’s the issue with RADB? That database doesn’t contain RPKI-invalid IRR route objects (since they deployed IRRDv4). Considering to not use RADB goes to show that maybe we don’t really really need IRR-based filtering that bad at all?
April 25, 2025 at 6:17 PM
Even so, what’s the issue with RADB? That database doesn’t contain RPKI-invalid IRR route objects (since they deployed IRRDv4). Considering to not use RADB goes to show that maybe we don’t really really need IRR-based filtering that bad at all?
don't under-estimate the significance of IRR data being unauthenticated plain-text without any cryptographic assurances!
April 25, 2025 at 11:40 AM
don't under-estimate the significance of IRR data being unauthenticated plain-text without any cryptographic assurances!
Those spammers can create IRR objects in altdb/level3/radb/etc just like that! What you want is BGPsec! You want more RPKI :-)
April 25, 2025 at 7:59 AM
Those spammers can create IRR objects in altdb/level3/radb/etc just like that! What you want is BGPsec! You want more RPKI :-)
It’s allowed, unless there are conflicting signals (such as ROAs, or maxpfx limit, peer lock filter, ASPAs, or OTC/RFC9234 appears in wrong context). If none of those things are cause for rejection, the route is innocuous. That’s not a less secure paradigm compared to utterly insecure IRR data
April 24, 2025 at 6:46 PM
It’s allowed, unless there are conflicting signals (such as ROAs, or maxpfx limit, peer lock filter, ASPAs, or OTC/RFC9234 appears in wrong context). If none of those things are cause for rejection, the route is innocuous. That’s not a less secure paradigm compared to utterly insecure IRR data
Nah… you’ll come around 8-)
April 24, 2025 at 5:17 PM
Nah… you’ll come around 8-)
I repeat: the objective is to disallow invalid routes (things can only become invalid iff an ASPA or ROA exists), not to require all routes to be valid
April 24, 2025 at 4:41 PM
I repeat: the objective is to disallow invalid routes (things can only become invalid iff an ASPA or ROA exists), not to require all routes to be valid
This is the key bit: I’m not proposing to cut folks off! It’s just that when you don’t create ROAs or ASPAs you enjoy less protection. End user decides how much risk they want to expose themselves too
April 24, 2025 at 4:40 PM
This is the key bit: I’m not proposing to cut folks off! It’s just that when you don’t create ROAs or ASPAs you enjoy less protection. End user decides how much risk they want to expose themselves too