On Sat, Jan 8, 2011 at 1:10 PM, Jon Lewis <jlewis@lewis.org> wrote:
Getting back to the original topic...sort of:
thanks!
[1] Don't care is probably too strong. At this point in time, I don't think it makes sense to get hung up on it and refuse to do any authentication if we're not doing RPKI, but not implement RPKI, because we haven't worked out all the details on how it'll be done. As it is, rr.arin.net is pretty much worthless.
I don't think rr.arin.net and RPKI have anything to do with each other. I think the direction the RPKI should/is taking is to have the RIR sign a ROA to the ORG that they allocate the address space to... Similarly the ORG (if they are an N|LIR-type) will sign a ROA to the ORG that they assign address space to. Ideally you should be able to ask the RPKI system: "I have 1.2.3.0/24 in a bgp announcement, origin'd by AS1234. Is that proper?" Ideally that magic doesn't happen on the "router" but a digested form of the data is available making much of the heavy-lifting not router-based. The parts of the puzzle here that ARIN (or really any RIR) is responsible for are the 'signing roas to allocatees' (the "up/down protocol" as it's referred to in the drafts - <http://tools.ietf.org/html/draft-ietf-sidr-rescerts-provisioning-09> and potentially having a system which permits end-users/ORGs to enter data which generates ROA data (and sends that along to some publication point for the rest of the routing world to download/digest). I believe the 'up/down protocol' part here is critical, the "web server" part ... I'm not sure is so critical, maybe a third party makes that happen outside of the ARIN management chain? Using someone not yourself (ARIN or another third party) to manage your ROA data means you probably have (in the most simple case) given the ability to that third party to sign objects for you, that means they have your private key(s) and can break you by mistake/malfeasance/oversight/etc. For this reason some folks may be ok with using a third party, many will choose to hold their fate in their own hands. -Chris