From: Alex Band <alexb@ripe.net> Date: Sun, 30 Jan 2011 11:39:36 +0100
I think my question is very pertinent. Of course the number of signed prefixes directly influences the number of validators. Do you think the RIPE NCC Validator tool would have been downloaded over 100 times in the last month if there were only 5 certified prefixes?
i think we may be talking past each other. the number of production validators will be unrelated to any difference between "prefixes signed because signing is easy" and "prefixes signed because operators are willing to do something hard." the operators who will sign even if it's hard (for example, deploying up/down) and also the operators who will only do it if it's easy (for example, hosted at an RIR) will each not care how many production validators there are at that moment -- their decision will be made on some other basis.
Practically, in the real world, why would anyone invest time and effort in altering their current BGP decision making process to accommodate for resource certification if the technology is on nobody's radar, it's hard to get your feet wet and there are just a handful of certified prefixes out there. Wouldn't it be good if network operators think: "Because it helps increase global routing security, it's easy to get started and lots of people are already involved, perhaps I should have a look at (both sides of) resource certification too."
the reasoning you're describing is what we had in mind when we built DLV as an early deployment aid for DNSSEC. we had to "break stiction" where if there were no validators there would be incentive to sign, and if there were no signatures there would be no incentive to validate. are you likewise proposing the hosted solution only as an early deployment aid? i'm really quite curious as to whether you'll continue operating an RPKI hosting capability even if it becomes unnec'y (as proved some day if many operators of all sizes demonstrate capability for up/down). if so, can you share the reasoning behind that business decision? i know it sounds like i'm arguing against a hosted solution, but i'm not. i'm just saying that network operators are going to make business decisions (comparing cost and risk to benefit) as to whether to sign and whether to validate, and RIR's are going to make business decisions (comparing cost and risk to benefit) as to what provisioning mode to offer, and i don't plan to try to tell any network operators to sign or validate based on my own criteria, nor do i plan to try to tell any RIR that they should host or do up/down based on my own criteria. it's their own criteria that matters. let's just get the best starting conditions we can get, and then expect that everybody will make the best decision they can make based on those conditions. at ISC i have been extremely interested in participating in RPKI development and i think that sra and randy (and the whole RPKI team inside IETF and among the RIRs) have done great work improving the starting conditions for anyone who has to make a business decision of whether to deploy and if so what mode to deploy in. on the ARIN BoT i have likewise been very interested in and supportive of RPKI and i'm happy to repeat john curran's words which were, ARIN is looking at the risks and benefits of various RPKI deployment scenarios, and we expect to do more public and member outreach and consultation at our upcoming meeting in san juan PR. Paul Vixie Chairman and Chief Scientist, ISC Member, ARIN BoT re:
i don't agree that that question is pertinent. in deployment scenario planning i've come up with three alternatives and this question is not relevant to any of them. perhaps you know a fourth alternative. here are mine.
1. people who receive routes will prefer signed vs. unsigned, and other people who can sign routes will sign them if it's easy (for example, hosted) but not if it's too hard (for example, up/down).
2. same as #1 except people who really care about their routes (like banks or asp's) will sign them even if it is hard (for example, up/down).
3. people who receive routes will ignore any unsigned routes they hear, and everyone who can sign routes will sign them no matter how hard it is.
i do not expect to live long enough to see #3. the difference between #1 and #2 depends on the number of validators not the number of signed routes (since it's an incentive question). therefore small differences in the size of the set of signed routes does not matter very much in 2011, and the risk:benefit profile of hosted vs. up/down still matters far more. ...