On Jan 5, 2011, at 5:32 PM, Randy Bush wrote:
1) If ARIN doesn't provide the level of authentication you desire, as an ARIN member you should send a note to ppml each day until it's available
this is not address policy. this is ops. surely one does not have to dirty one's self with the ppml list to get an ops fix done in arin. it is not address policy.
i have a rumor that arin is delaying and possibly not doing rpki that seems to have been announced on the ppml list (to which i do not subscribe). as it has impact on routing, not address policy, across north america and, in fact the globe, one would think it would be announced and discussed a bit more openly and widely.
Randy - Excellent point; my apologies for not realizing this sooner and posting some information directly for consideration by the NANOG community. Attached is a message from the arin-discuss mailing list which has some more context; please feel free to discuss this on the arin-discuss mailing list or here on NANOG (as appropriate) Thanks! /John Begin forwarded message:
From: John Curran <jcurran@arin.net> Date: January 6, 2011 11:08:39 AM EST To: "George, Wes E [NTK]" <Wesley.E.George@sprint.com> Cc: "arin-discuss@arin.net" <arin-discuss@arin.net> Subject: Re: [arin-discuss] Important Update Regarding Resource Certification
On Jan 6, 2011, at 9:32 AM, George, Wes E [NTK] wrote:
There have been some threads about this on NANOG in the last few days. Can we get a bit clearer explanation of what the specific security concerns are and why they are delaying things? It may also make sense for someone from ARIN to post to NANOG with an explanation as well. If there are security concerns, it is something that the community should be aware of in case other RIRs or the SIDR WG need to be considering those issues as well.
Thanks, Wes George
George -
The security concerns are not specificly related to the RPKI protocol, but inherent implications of any service that might be heavily relied upon for real-time network operations, i.e. I don't think it's a SIDR WG matter, but simply part of the due diligence associated with the service as noted below.
While the RIRs presently provide services which are used to support operations (such as WHOIS and Reverse DNS services), failure of RIR resource certification services could have some very significant consequences, particularly in the case of incorrect data as opposed to simply unavailable data. There are some potential liability implications of operating such a service that ARIN is presently reviewing in depth. I need to also note that these issues exist even in the case of a perfectly secure and operational service, in that an error by an ISP using ARIN's services (e.g. having entered the wrong AS number into a ROA for a major customer) could result in ARIN needing to readily "prove" the integrity of its resource certification system as well as fidelity of performance against the operators request.
This has led ARIN to consider some aspects of its resource certification design, specifically to mitigate potential risks in the areas of non-repudiation and multi-party controls. Even so, the ultimate decision in these matters lies with the ARIN Board, as there is always going to be residual risk associated with any operations-related service provided by ARIN (note also that we have also discussed these issues with the other RIRs, but as they don't operate in ARIN's highly-litigous region, it is not necessarily a similar priority for their consideration)
To the extent that ARIN offering resource certification services is important to your plans, it would good to express such needs on the arin-discuss mailing list. This helps us gauge the demand which obviously is another important factor to be considered in making the final determination on offering these services.
We intend to have more detailed information out later this month once the plans for finalized, but I hope the above information provides some insight into the process at this point. I will post this to the NANOG list for the community's information.
Thanks! /John
John Curran President and CEO ARIN
p.s. I'm presently on a Caribbean cruise ship on a bona fide family vacation, so please recognize that replies may be deferred to off hours so that my laptop isn't thrown overboard... ;-)