nanog mailing list archives

Re: AltDB?

From: Christopher Morrow <morrowc.lists () gmail com>
Date: Sat, 8 Jan 2011 14:47:47 -0500

On Sat, Jan 8, 2011 at 1:10 PM, Jon Lewis <jlewis () lewis org> wrote:

Getting back to the original topic...sort of:


thanks!

[1] Don't care is probably too strong.  At this point in time, I don't think
it makes sense to get hung up on it and refuse to do any authentication if
we're not doing RPKI, but not implement RPKI, because we haven't worked out
all the details on how it'll be done.  As it is, rr.arin.net is pretty much
worthless.


I don't think rr.arin.net and RPKI have anything to do with each
other. I think the direction the RPKI should/is taking is to have the
RIR sign a ROA to the ORG that they allocate the address space to...
Similarly the ORG (if they are an N|LIR-type) will sign a ROA to the
ORG that they assign address space to.

Ideally you should be able to ask the RPKI system: "I have 1.2.3.0/24
in a bgp announcement, origin'd by AS1234. Is that proper?" Ideally
that magic doesn't happen on the "router" but a digested form of the
data is available making much of the heavy-lifting not router-based.

The parts of the puzzle here that ARIN (or really any RIR) is
responsible for are the 'signing roas to allocatees' (the "up/down
protocol" as it's referred to in the drafts -
<http://tools.ietf.org/html/draft-ietf-sidr-rescerts-provisioning-09>
and potentially having a system which permits end-users/ORGs to enter
data which generates ROA data (and sends that along to some
publication point for the rest of the routing world to
download/digest).

I believe the 'up/down protocol' part here is critical, the "web
server" part ... I'm not sure is so critical, maybe a third party
makes that happen outside of the ARIN management chain?

Using someone not yourself (ARIN or another third party) to manage
your ROA data means you probably have (in the most simple case) given
the ability to that third party to sign objects for you, that means
they have your private key(s) and can break you by
mistake/malfeasance/oversight/etc. For this reason some folks may be
ok with using a third party, many will choose to hold their fate in
their own hands.

-Chris

Current thread:

arin and ops fora (was: AltDB? RPKI, the universe, and ...), (continued)
- - - arin and ops fora (was: AltDB? RPKI, the universe, and ...) Randy Bush (Jan 07)
    - Re: arin and ops fora (was: AltDB? RPKI, the universe, and ...) David Conrad (Jan 08)
    - Re: arin and ops fora (was: AltDB? RPKI, the universe, and ...) Randy Bush (Jan 08)
    - Re: arin and ops fora Simon Leinen (Jan 08)
    - Re: arin and ops fora Randy Bush (Jan 08)
    - Re: AltDB? Paul Vixie (Jan 08)
    - Re: AltDB? Randy Bush (Jan 08)
    - Re: AltDB? Randy Bush (Jan 08)
    - Re: AltDB? Paul Vixie (Jan 08)
    - Re: AltDB? Jon Lewis (Jan 08)
    - Re: AltDB? Christopher Morrow (Jan 08)
    - Message not available
    - Re: AltDB? Christopher Morrow (Jan 08)
    - how the rpki works Randy Bush (Jan 08)
    - Re: AltDB? Jeff Wheeler (Jan 08)
    - Re: AltDB? Randy Bush (Jan 08)
    - Re: AltDB? Jeff Wheeler (Jan 08)
    - Re: AltDB? John Curran (Jan 09)
    - Re: AltDB? Jeff Wheeler (Jan 09)
    - Re: AltDB? John Curran (Jan 09)
    - Re: AltDB? Jeff Wheeler (Jan 09)
    - Re: AltDB? John Curran (Jan 09)

(Thread continues...)