Request: Need better explanation of invalid ROA detection

[athompson-merlin]

I have numerous ROAs that are failing with "RPKI invalid route objects found". However, they look right, and I have no way of knowing what validation step failed, merely that <something> determined they were invalid.
I suggest either more detailed RPKI validation messages, or hover text, or the ability to drill down. As is, I don't know if the problem is the validation logic, or my ROAs. (Other validators claim there's nothing wrong.)

[job]

Can you share a screenshot of what you’re looking at and what is confusing you?

[athompson-merlin]

Sure:

[athompson-merlin]

So in this case, other validators accept my ROAs without complaint, and I have no idea what IRRExplorer thinks is wrong, precisely. Might be my mistake still, but no way of knowing without exposing the failing validation rules.

[forkwhilefork]

It's saying "there exist IRR route objects that, according to the RPKI ROAs we see, are invalid".

In the snip you posted that appears to be the case - a ROA only exists for AS16796, but route objects exist with origin ASNs that are not 16796 (therefore they are invalid).

[teunvink]

In addition to @forkwhilefork's explanation: this is indicated by the icons with crosses next to those ASN's. If you hover over them, you'll see a "route object is RPKI invalid" text.

[teunvink]

Also, there's a "Explanation of different messages" link at the top you can click which should explain the error found in more detail.

If you have any suggestions on how to improve reporting, please let us know!

[athompson-merlin]

It may be an issue of language semantics, then. To me the phrase "RPKI invalid route objects found" says that:

1. IRRexplorer found an RPKI ROA for this number resource, and
2. That ROA has a syntax error or some other structural flaw that makes it invalid.

I had previously reviewed the detail text but somehow interpreted it as meaning something other than what it says. (Confirmation bias, presumably.)

Firstly, I suggest rewording the error message so that it doesn't lead with "RPKI", which sent me down a path of assuming my ROAs were the problem. Perhaps "IRR/RPKI mismatch detected" would be more meaningful?

Secondly, I think it should be a warning, not an error. I still haven't been able to get all the ancient proxy routeobjs cleaned up, after 2+yrs of intermittent effort, and I expect some of those B.S. proxy routeobjs will actually never go away until IRR itself goes away. Not to mention that it's now outright impossible to make changes ARIN-NONAUTH, as far as I can tell, unlike Bell and Level3 who merely ignore my requests.

This suggests a separate feature request (#166), which I've just opened separately, as a way to mitigate the IRR-staleness issue as well as being just a generally-useful feature.

[athompson-merlin]

P.S. thanks to all of you for the super-fast replies on this!

[athompson-merlin]

I just figured out the language issue, it's a 1-byte error: There should be a hyphen between "RPKI" and "invalid".
The lack of hyphen makes "RPKI" the subject of the adjective "invalid" instead of a modifier. "RPKI-invalid routeobjs found" would have been clear, as the hyphen in this usage turns the preceding term into a modifier for the subsequent term.
(I still like my suggest, above, better, anyway, but YMMV.)

[teunvink]

Thanks for the feedback. The 1-byte fix has been applied for now. We'll consider the other suggestions.

[teunvink]

The ARIN-NONAUTH datasource has been removed since it has been decommissioned (https://www.arin.net/announcements/20220128-irr/).