From: Alex Band <alexb@ripe.net> Date: Sat, 29 Jan 2011 16:26:55 +0100
... So the question is, if the RIPE NCC would have required everyone to run their own certification setup using the open source tool-sets Randy mentions, would there be this much certified address space now?
i don't agree that that question is pertinent. in deployment scenario planning i've come up with three alternatives and this question is not relevant to any of them. perhaps you know a fourth alternative. here are mine. 1. people who receive routes will prefer signed vs. unsigned, and other people who can sign routes will sign them if it's easy (for example, hosted) but not if it's too hard (for example, up/down). 2. same as #1 except people who really care about their routes (like banks or asp's) will sign them even if it is hard (for example, up/down). 3. people who receive routes will ignore any unsigned routes they hear, and everyone who can sign routes will sign them no matter how hard it is. i do not expect to live long enough to see #3. the difference between #1 and #2 depends on the number of validators not the number of signed routes (since it's an incentive question). therefore small differences in the size of the set of signed routes does not matter very much in 2011, and the risk:benefit profile of hosted vs. up/down still matters far more.
Looking at the depletion of IPv4 address space, it's going to be crucially important to have validatable proof who is the legitimate holder of Internet resources. I fear that by not offering a hosted certification solution, real world adoption rates will rival those of IPv6 and DNSSEC. Can the Internet community afford that?
while i am expecting a rise in address piracy following depletion, i am not expecting #3 (see above) and i think most of the piracy will be of fallow or idle address space that will therefore have no competing route (signed or otherwise). this will become more pronounced as address space holders who care about this and worry about this sign their routes -- the pirates will go after easier prey. so again we see no material difference between hosted and up/down on the deployment side or if there is a difference it is much smaller than the risk:benefit profile difference on the provisioning side. in summary, i am excited about RPKI and i've been pushing hard for in both my day job and inside the ARIN BoT, but... let's not overstate the case for it or kneejerk our way into provisioning models whose business sense has not been closely evaluated. as john curran said, ARIN will look to the community for the guideance he needs on this question. i hope to see many of you at the upcoming ARIN public policy meeting in san juan PR where this is sure to be discussed both at the podium and in the hallways and bar rooms. Paul Vixie Chairman and Chief Scientist, ISC Member, ARIN BoT