[moved to nanog as it seems a far more appropriate forum than cisco-nsp] On Wed, 5 Jan 2011, Jose Madrid wrote:
Anyone here use AltDB? It seems their servers have been down for two days. I have emailed their admin alias but have gotten nothing. Anyone?
whois -h whois.altdb.net 199.48.252.0 [Querying whois.altdb.net] [Unable to connect to remote host]
Can anyone from Level3 say how this will impact customer BGP filters. Will L3 keep working with the last data sync they got from altdb? I'm guessing if whatever the problem is with altdb isn't fixed soon, those who use it as their IRR will need to re-publish all their objects in another IRR DB and have any transit providers who build filters based on IRR data update their profiles to use object data from the IRR DB to which they moved their records. I'd been thinking about moving from altdb to ARIN's but hadn't had sufficient motivation. www.altdb.net is reachable, but the whois server is not. Even altdb queries run from http://www.altdb.net/ fail. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Wed, Jan 5, 2011 at 11:26 AM, Jon Lewis <jlewis@lewis.org> wrote:
Anyone here use AltDB? It seems their servers have been down for two days. Can anyone from Level3 say how this will impact customer BGP filters. Will L3 keep working with the last data sync they got from altdb? I'm guessing
Since Level3 updates their prefix-lists at least daily, and integrates new ALTDB updates at least daily, and the ALTDB has been down for over a day, obviously it will not affect your Level3 prefix-lists in the near-term. If Level3 decided to stop honoring ALTDB objects, say, because ALTDB was never fixed, I imagine you would find it necessary to re-publish your objects or Level3 would stop honoring your routes.
I'd been thinking about moving from altdb to ARIN's but hadn't had sufficient motivation.
I emailed ARIN yesterday to ask if their IRR database has any authentication support (other than mail-from) yet. I haven't seen any reply from ARIN yet, but my guess is they still have no useful authentication mechanism. I would rather depend on an IRR database that can't process updates for a few days per year, than use one where a malicious party could alter or erase all of my objects at any time. I would like to note that RADB had route6: support in about 2004 or so, if my memory serves me; while the ARIN database did not accept route6 objects until about a year ago. So it is not exactly a high priority for ARIN. Note also that Level3 has an IRR database, so you could use theirs if you want to. I don't prefer to use a transit provider database if I can use a "neutral" one, but sometimes I would rather not pay the (entirely reasonable) fee for the MERIT RADB. -- Jeff S Wheeler <jsw@inconcepts.biz> Sr Network Operator / Innovative Network Concepts
On Jan 5, 2011, at 12:07 PM, Jeff Wheeler wrote:
I would like to note that RADB had route6: support in about 2004 or so, if my memory serves me; while the ARIN database did not accept route6 objects until about a year ago. So it is not exactly a high priority for ARIN.
The priority of IRR at ARIN is based on community feedback and direction. There is no particular reason for ARIN to focus on ongoing IRR enhancements, if the community isn't asking for such. ARIN needs to stay focused on its mission, and prioritize all work accordingly. There has not been a clear consensus from the community one way or the other about enhancing the IRR services as part of that mission, nor on deeming it to be outside of the mission and phasing out the services. This makes it somewhat challenging for the Board and staff to discern the right approach, and leaves us simply maintaining the status quo for these services. Should IRR services be part of the ARIN mission? ARIN-discuss would be a great mailing list on which to discuss this topic, or (along the lines of Randy's earlier comments) on this NANOG list, if the mailing list folks consider it to be on topic. /John John Curran President and CEO ARIN
On Sun, 9 Jan 2011, John Curran wrote:
Should IRR services be part of the ARIN mission?
If that's a serious question, why does rr.arin.net exist at all? ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Jan 9, 2011, at 3:02 PM, Jon Lewis wrote:
Should IRR services be part of the ARIN mission?
If that's a serious question, why does rr.arin.net exist at all?
Jon - Existence of not in and of itself proof that the services are presently desired by the community, nor that there are benefits in having them provided by ARIN. For example, one can argue that it is desirable for ARIN to provide IRR services in the case where allocation policy had dependencies into the state of the IRR; this is not the case in the ARIN region. Another reason for ARIN to offer services is if it can do so in a manner that would significantly improve their quality (one might argue such about resource certification via RPKI, but that's not as obvious for a routing registry) At the end of the day, we want ARIN to be providing quality services around the registration of Internet number resources; these services need to be valued by the community and provided cost-effectively. Do you: 1) want IRR services, and if so, with what features? 2) believe IRR services should be provided by ARIN? Getting input from the community on this will significantly help the ARIN staff make informed recommendations to the ARIN Board regarding how to best proceed. I'd also welcome private email with these thoughts if that's your preference. Thanks! /John John Curran President and CEO ARIN
Do you: 1) want IRR services, and if so, with what features? 2) believe IRR services should be provided by ARIN?
the irr is slightly useful today. so, iff it is cheap and easy, arin providing an open and free instance is a public good. again, iff it is easy and cheap. and please do not waste time trying to 'fix' the irr, sad to say it's trying to make a silk purse out of a sow's ear. and thanks for asking. randy
On Sun, Jan 9, 2011 at 6:27 PM, Randy Bush <randy@psg.com> wrote:
Do you: 1) want IRR services, and if so, with what features? 2) believe IRR services should be provided by ARIN?
the irr is slightly useful today. so, iff it is cheap and easy, arin providing an open and free instance is a public good. again, iff it is easy and cheap. and please do not waste time trying to 'fix' the irr, sad to say it's trying to make a silk purse out of a sow's ear.
I'm not suggesting that ARIN undertake a large and complex effort to solve a bunch of issues with IRR. All I am suggesting is that they prevent anonymous bad guys with no inside information, special access, or knowledge of passwords, from corrupting the data which some networks choose to publish in ARIN IRR. I am simply suggesting it is dangerous and irresponsible to run an IRR with only MAIL-FROM authentication, and quite easy to also support CRYPT-PW. ARIN should either support passwords or immediately make their IRR read-only and stop offering it as a service. Imagine if there was a Slashdot article or something about this, how long would it take for some 14-year-old to erase the whole database, and how that would pretty much force ARIN to make a choice anyway, but also, create a lot of negative fall-out that might jeopardize trust in ARIN with regard to other operational matters, like RPKI. -- Jeff S Wheeler <jsw@inconcepts.biz> Sr Network Operator / Innovative Network Concepts
Do you: 1) want IRR services, and if so, with what features? 2) believe IRR services should be provided by ARIN?
the irr is slightly useful today. so, iff it is cheap and easy, arin providing an open and free instance is a public good. again, iff it is easy and cheap. and please do not waste time trying to 'fix' the irr, sad to say it's trying to make a silk purse out of a sow's ear.
I'm not suggesting that ARIN undertake a large and complex effort to solve a bunch of issues with IRR.
jeff, i do not disagree that running an irr instance with only mail-from is soooo 1980s. and, as mans points out, there is free software out there to do it (i recommend irrd). but i do not see good cause for arin to spend anything non-trivial to fix a problem in an irr instance which is not used very much. i.e. better to drop it than to spend non-trivial money to modernize it. but more to the point, by 'fix' it, i did not mean modernizing the auth method set. i meant the content, syntax and semantics. randy
On Sun, Jan 9, 2011 at 6:48 PM, Randy Bush <randy@psg.com> wrote:
jeff, i do not disagree that running an irr instance with only mail-from is soooo 1980s. and, as mans points out, there is free software out there to do it (i recommend irrd). but i do not see good cause for arin to spend anything non-trivial to fix a problem in an irr instance which is not used very much. i.e. better to drop it than to spend non-trivial money to modernize it.
I agree that if ARIN thinks it would be "too costly" to support password authentication, they should make the database read-only so users will migrate away from it and no damage can be done by "bad guys."
but more to the point, by 'fix' it, i did not mean modernizing the auth method set. i meant the content, syntax and semantics.
I understood what you meant, and again, I agree with you; there is no reason to invest "a lot" of time and resources in something that should be made obsolete by other work already in progress. The "fix" I want is simply eliminating the large liability by continuing to allow updates with MAIL-FROM authentication. I believe ARIN IRR actually does support MD5 authentication, but if you email the ARIN IRR person, or go to ARIN's web site, you are told that only MAIL-FROM is allowed. So they probably already have the appropriate technical mechanism in place AND JUST AREN'T USING IT, and are actively discouraging users from utilizing it. This would be an example of ARIN's ineffectiveness when it comes to operational matters, and is why I have real fear that RPKI may one-day be a disaster because ARIN is an ineffective steward. -- Jeff S Wheeler <jsw@inconcepts.biz> Sr Network Operator / Innovative Network Concepts
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/09/2011 03:48 PM, Randy Bush wrote:
Do you: 1) want IRR services, and if so, with what features?
I think so. In theory it seems useful. In practice... http://www.renesys.com/blog/2009/05/keeping-score.shtml not so much.
2) believe IRR services should be provided by ARIN?
No. As I mentioned elsewhere in this thread, I don't see why an RIR is operating an IRR database. It seems to be something clearly in the realm of service providers (ie people who are making use of allocated resources). John, Can you shed some light on why this is the case? Was this requested by the community, or driven internally? Or both? - -- Charles N Wyble (charles@knownelement.com) Systems craftsman for the stars http://www.knownelement.com Mobile: 626 539 4344 Office: 310 929 8793 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNKoZsAAoJEMvvG/TyLEAt/xsP/2CC55GEeTO46/QB2UN3RWwZ MxiLAIgurtyHTjeh9Gr6dfujnx5si6HP1Kxv+ET3HDapyOc4M8yfugvuSfrAMz1Z A/ObcWbHwtTFvii6ULtE4w7+AU1Msy7XQIPluh9g3fYk85+fBdMvE45Hyw1je04o SidM3m9XP5jCDMcKNgbSN90ibf8GykgzR6u0fExRxUta0bhHrTWZM15oVSpXeCGN Kl/6E0QSd1DbQvWxvQPotMCHoaEulAjPt4kKiBAKnxAAGsB1aC2ceMZ5PI2xeNeB pZcsWqiaemhnDmlUyPE5xjoVYSUxFk5R99RV4PfGBbAf7TyZJFAhfsm3yHqYVefN EIaguXaB0T1ekCJuBzgljExNnrMCTllx8j5GmLAQrgusrkBna61OFknp/DzVzWjS cxb60AKVbJX8kfvFdxd//zw4+15qflslrBFoGx+8/eJItzCuE5sggj4vQj9lSO5p ocvl7zbVkiYsw0EfDcJAlVpj3VGC4V93k0h8Rkh9oIykqJuO0JC7VSB7ZBwjM43t AN7/Kjqhp0e19ztUiIjFpFW3Gi9Bpw0M8KMPo8pX27W4sXcG/CMlu2jTwadiKQyR Dk+7a5B9qVvgLC4c1ygYzfyPYJzvq78CYa+vpsBl3Wl0vgLNSLicPg9gN/87fJhU kt4lYu8javFnsFGQbH69 =Bc5T -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/09/2011 03:41 PM, Jeff Wheeler wrote:
On Sun, Jan 9, 2011 at 6:27 PM, Randy Bush <randy@psg.com> wrote:
Do you: 1) want IRR services, and if so, with what features? 2) believe IRR services should be provided by ARIN?
I am simply suggesting it is dangerous and irresponsible to run an IRR with only MAIL-FROM authentication, and quite easy to also support CRYPT-PW. ARIN should either support passwords or immediately make their IRR read-only and stop offering it as a service. Imagine if there was a Slashdot article or something about this, how long would it take for some 14-year-old to erase the whole database, and how that would pretty much force ARIN to make a choice anyway, but also, create a lot of negative fall-out that might jeopardize trust in ARIN with regard to other operational matters, like RPKI.
So why hasn't this happened already? If it's so easy, then all the normal actors that like to cause us late nights would have struck already. And according to http://www.irr.net/docs/list.html there are lots of IRR databases. I had a vague concept of IRR before this thread, and have researched them as a result of it. They seem quite useful. I didn't know anything about RPKI before this thread. I'm looking into that now. So I don't think ARIN should spend it's limited resources on anything to do with it's copy of the IRR. In fact I'm not sure why they even operate one. It seems to be the realm of service providers to do so. Can anyone enlighten me as to why a RIR is operating an IRR database? It doesn't make sense to me. - -- Charles N Wyble (charles@knownelement.com) Systems craftsman for the stars http://www.knownelement.com Mobile: 626 539 4344 Office: 310 929 8793 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNKoRSAAoJEMvvG/TyLEAtjuUP/0HsjYoulhixWOp/2LRMzll+ zc0YBVOD+mebDyM2tPdXN/UGVVQCrhdakbWOkbRsn1+qHOZEK0SKI41cnWineluB z4xxEXVSbOb3wRfqVr+WwNilZnQIST8p6IddEShJ283ZDvFBa7f6b80POue28SU2 DSFW0DWL+Ti38tGyXBuiPSBMWNY4mRUJQDznz5msiXLiWTzHIUeXmiyGErbR0R+f OPK5SPUvkJvI1G2ytqqWdzkelCgp78O6uQzVM0443ZvdN4HBEq45ac82+t3pR99q 2DgTnU4mWjMiQBZxWAZidqxW7Rsl3K4Zbr1lJEQ8R5Ke9PQzLD2cd8k0AKUFOg3M rNY/wz2ha75G38k9f4OqglCcwQOglGwXX1ASWCjKM9ISVcq0+m/SyOnlmtf/fRLH R+LdX8fntpCMv6kxjqAojBghOmaso9NvrW0umHqT0XSMZRuHGOIP4XYj+Rws/TwI IFV4gQLNCoqEswq5vreM2cMzTIFXJDsS8Pd4HS/g+c+teIMC/8TIIs4EUMhX2wPY O5iW8PiDCLnbwXT0OrPDHjz1M5Xl5fNduAvjsTnN0Kn7jc+TwRuTIoPJudKxqa9A L6MDGEYgK7nyboARUYmPrB9f+/FMA9jKTXD2b5j7ZiTj0bWxByU1BL6V2eBtDwdd GPMgRarxix8cp2Stn4dx =shdY -----END PGP SIGNATURE-----
I had a vague concept of IRR before this thread, and have researched them as a result of it. They seem quite useful. I didn't know anything about RPKI before this thread. I'm looking into that now.
So I don't think ARIN should spend it's limited resources on anything to do with it's copy of the IRR. In fact I'm not sure why they even operate one. It seems to be the realm of service providers to do so.
Can anyone enlighten me as to why a RIR is operating an IRR database? It doesn't make sense to me.
Sure. I've been staying quiet on this thread, but as one person who has used (and still maintains a number of records) ARIN's IRRd, I'll respond. Firstly, There are many networks with whom want to put their IRR objects into a neutral and objective database. I know that AltDB is "free", but as I've been told before, if you want support, donate to "Abha Ahuja Women in Science in Engineering" scholarship fund, otherwise your maintainer objects will never be approved (know this one first hand). And RADB, with whom used to be free charges a fee to have records maintained via their web GUI. Many network operators don't want to directly pay for such services, so ARIN makes sense in this regard. My original alternative was to setup my own IRRd, but was glad not to have to go to the trouble. Secondly, ARIN's IRRd is a lot easier to use than any service provider IRRd as those are intended for customer records only and if you wish to leave them, they will delete your records or just simply deny you support. Especially when said providers mirror ARIN's database. It's much like using PA vs PI IP space. If you want to be indebted to your provider, continue to use their "free" services. Thirdly, with the above in mind, ARIN provides support to all members of ARIN, so you can get a real person on the phone or by email to respond to questions. So, all in all, I am grateful that ARIN has supplied the IRRd service, would love to see the authentication enhanced, but otherwise I don't have any complaints. I encourage others to use the service regularly and am glad to see it getting some attention, we just need to make sure to channel the attention into enhancements and not limitations. thanks, charles
On Sun, Jan 9, 2011 at 11:00 PM, Charles N Wyble <charles@knownelement.com> wrote:
So why hasn't this happened already? If it's so easy, then all the normal actors that like to cause us late nights would have struck already.
As most of us in the net ops community know, there are many vulnerabilities that are very much non-obvious to a black hat guy used to DDoSing with botnets or exploiting the latest common daemon vulnerability. That is no assurance that this vulnerability will never be exploited. The very fact that we are talking about it on this mailing list (unfortunately) raises the chances that it will happen. If there was an article on Slashdot, I bet significant corruption pranks or deliberate, malicious erasure would happen inside of a week. If I spent 15 minutes making a "HOWTO anonymously delete an ISP from the ARIN IRR with a telnet client and an open proxy" and spread it around to some IRC bad-guys, you can be assured we would be talking about damage control, not prevention, by tomorrow. Finally, anyone who has ever 1) learned how email works; and 2) learned how to update their own IRR objects via email; can do it without reading anything, and has probably realized this vulnerability on their own years ago.
So I don't think ARIN should spend it's limited resources on anything to do with it's copy of the IRR. In fact I'm not sure why they even operate one. It seems to be the realm of service providers to do so.
It is desirable to publish your IRR records in a neutral database, as opposed to a service provider database. Let's say I am a Level3 customer and I use their IRR. A year goes by, and I don't renew my contract with Level3, I instead start buying transit from AT&T. Well, AT&T does not operate an IRR database. Now I have to find a new place to publish my IRR data, *and* my new transit provider doesn't offer it as a service. If I have a need for IRR, I had better hope one of my other transit providers offers me a database, or use RADB, ALTDB, or another third-party database. This is why MERIT has a bunch of customers paying annual fees for RADB, a valuable service; and why some great folks volunteer their time to maintain the ALTDB. It is also no doubt the reason ARIN has an IRR database, but unfortunately, the ARIN IRR is a liability, not an asset, to the net ops community. -- Jeff S Wheeler <jsw@inconcepts.biz> Sr Network Operator / Innovative Network Concepts
On Sun, 9 Jan 2011, Charles N Wyble wrote:
I am simply suggesting it is dangerous and irresponsible to run an IRR with only MAIL-FROM authentication, and quite easy to also support CRYPT-PW. ARIN should either support passwords or immediately make
The trouble is, since the DES crypt passwords are publicly accessible, even CRYPT-PW is not much security. I suspect with a copy of the db, a passsword cracking program, and some modest computing capacity, you could crack all the passwords in ALTDB before this thread dies. I've been trying to convert from CRYPT-PW to PGPKEY auth, but I don't seem to be having much luck getting that working. I've put a key-cert (PGPKEY-7ABEC6A3) into altdb, and changed our mntner to permit either CRYPT-PW or PGPKEY-7ABEC6A3 for auth. But PGP signed update requests result in #ERROR: Authorization failure. I'm not sure why I'm getting this auth failure. i.e. Something wrong with the formatting of my submissions? Something wrong with my key-cert? The certif: from my key-cert wasn't automatically imported into the auto-dbm keyring? I'm assuming I can take a RPSL format submission, save it to a file, use GPG to clearisgn it, and put the result in the body of an email to auto-dbm. It's also possible altdb doesn't actually have working PGP support. Looking at the database dump I downloaded the other day, only one mntner uses PGP as their sole auth method...and that mntner hasn't made changes to any objects since the last change to their mntner...so it could be they changed to PGP auth, never got it working, and abandoned altdb. I was afraid of losing control of my mntner if there were issues with PGP, so I figured I'd add PGP as an auth method, test it, and then after seeing it work, remove CRYPT-PW. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Mon, Jan 10, 2011 at 12:37 PM, Jon Lewis <jlewis@lewis.org> wrote:
On Sun, 9 Jan 2011, Charles N Wyble wrote:
I am simply suggesting it is dangerous and irresponsible to run an IRR with only MAIL-FROM authentication, and quite easy to also support CRYPT-PW. ARIN should either support passwords or immediately make
The trouble is, since the DES crypt passwords are publicly accessible, even CRYPT-PW is not much security. I suspect with a copy of the db, a passsword cracking program, and some modest computing capacity, you could crack all
DES crypt() is not completely trivial yet, but I agree, it is far from state-of-the-art. It is substantially superior to MAIL-FROM. In addition, MERIT reduced this problem by simply filtering out the hashes from the RADB.db file and whois output (and presumably also, the www.radb.net tools.) -- Jeff S Wheeler <jsw@inconcepts.biz> Sr Network Operator / Innovative Network Concepts
On Jan 5, 2011, at 9:26 AM, Jon Lewis wrote: [snip]
Can anyone from Level3 say how this will impact customer BGP filters. Will L3 keep working with the last data sync they got from altdb?
Yes, Level 3 will continue to use the last data mirrored and archived. New filters are not pushed daily, they are only pushed when things change. Archives are here in case people want to know what the latest was: <ftp://rr.level3.net/pub/rr/archive.mirror-data/> regards
On 05/01/2011 17:09, Craig Pierantozzi wrote:
On Jan 5, 2011, at 9:26 AM, Jon Lewis wrote:
[snip]
Can anyone from Level3 say how this will impact customer BGP filters. Will L3 keep working with the last data sync they got from altdb?
Yes, Level 3 will continue to use the last data mirrored and archived. New filters are not pushed daily, they are only pushed when things change.
Archives are here in case people want to know what the latest was: <ftp://rr.level3.net/pub/rr/archive.mirror-data/>
regards
So has anyone had any contact from ALTDB as to what's going on? Thanks! --J
On Jan 5, 2011, at 12:15 PM, Jay Coley wrote:
On 05/01/2011 17:09, Craig Pierantozzi wrote:
On Jan 5, 2011, at 9:26 AM, Jon Lewis wrote:
[snip]
Can anyone from Level3 say how this will impact customer BGP filters. Will L3 keep working with the last data sync they got from altdb?
Yes, Level 3 will continue to use the last data mirrored and archived. New filters are not pushed daily, they are only pushed when things change.
Archives are here in case people want to know what the latest was: <ftp://rr.level3.net/pub/rr/archive.mirror-data/>
regards
So has anyone had any contact from ALTDB as to what's going on?
I don't know, but I'd like to make a suggestion that most people will just reject, .. but ... 1) If ARIN doesn't provide the level of authentication you desire, as an ARIN member you should send a note to ppml each day until it's available, or make a proposal to improve it. Last time around, it wasn't very exciting for many people. 2) If you DEPEND on something for your business, it may just be "worth it" to: a) pay RADB who operates professionally b) use your ISP provided IRR (eg: NTT, level3, savvis, etc) You are less likely to encounter business issues due to the mirroring/latency etc of RADB -> YourISP or ALTDB -> YourISP if you use them as you have a direct business relationship. They may even prefer their objects over the RADB seen ones. - Jared
On 2011-01-05, at 12:31, Jared Mauch wrote:
2) If you DEPEND on something for your business, it may just be "worth it" to: a) pay RADB who operates professionally b) use your ISP provided IRR (eg: NTT, level3, savvis, etc)
I generally recommend that people use the RIPE database, regardless of location. The main reason for that used to be that they supported IPv6 policy attributes before anybody else did, but that's quite possibly no longer a useful discriminator. If you ever have ambitions to announce a route to a peer in Europe, having objects in the RIPE db can also help avoid annoyance. Joe
1) If ARIN doesn't provide the level of authentication you desire, as an ARIN member you should send a note to ppml each day until it's available
this is not address policy. this is ops. surely one does not have to dirty one's self with the ppml list to get an ops fix done in arin. it is not address policy. i have a rumor that arin is delaying and possibly not doing rpki that seems to have been announced on the ppml list (to which i do not subscribe). as it has impact on routing, not address policy, across north america and, in fact the globe, one would think it would be announced and discussed a bit more openly and widely. randy
On Jan 5, 2011, at 12:32 PM, Randy Bush wrote:
i have a rumor that arin is delaying and possibly not doing rpki that seems to have been announced on the ppml list (to which i do not subscribe).
I heard about the delay, but not about ARIN possibly not doing RPKI. That would be ... surprising. While I have always had some questions regarding the political (not technical) feasibility of actually deploying secure routing based on the top-down hierarchical model assumed by RPKI, it seems obvious to me that there needs to be a better way to authenticate allocation data other than querying a whois server. RPKI will (would have?) provided this and the actual deployment of RPKI would allow the ops community to gain experience with the technology.
as it has impact on routing, not address policy, across north america and, in fact the globe, one would think it would be announced and discussed a bit more openly and widely.
The definition of what comes under the "public policy mailing list" umbrella has always been a bit confusing to me. Too bad something like the APNIC SIGs and RIPE Working Groups don't really exist in the ARIN region. Regards, -drc
On Thu, Jan 6, 2011 at 1:21 AM, David Conrad <drc@virtualized.org> wrote:
On Jan 5, 2011, at 12:32 PM, Randy Bush wrote:
i have a rumor that arin is delaying and possibly not doing rpki that seems to have been announced on the ppml list (to which i do not subscribe).
I heard about the delay, but not about ARIN possibly not doing RPKI. That would be ... surprising. While I have always had some questions regarding the political (not technical) feasibility of actually deploying secure routing based on the top-down hierarchical model assumed by RPKI, it seems obvious to me that there needs to be a better way to authenticate allocation data other than querying a whois server. RPKI will (would have?) provided this and the actual deployment of RPKI would allow the ops community to gain experience with the technology.
pls express this to your local BoT or AC or ARIN Rep... see the other thread. thanks! -Chris
On Jan 5, 2011, at 8:43 PM, Christopher Morrow wrote:
pls express this to your local BoT or AC or ARIN Rep... see the other thread.
As I am not an ARIN member nor do I have any ARIN-delegated resources, it isn't clear to me who my local BoT/AC/ARIN Rep might be. However, as I'm aware some of the folks you mention are on NANOG, I suspect they might have seen my comment (FWIW). Regards, -drc
-----Original Message----- From: David Conrad [mailto:drc@virtualized.org]
The definition of what comes under the "public policy mailing list" umbrella has always been a bit confusing to me. Too bad something like the APNIC SIGs and RIPE Working Groups don't really exist in the ARIN region.
I think that's a bit of what we've been trying to do with the Best Current Operational Practices BoFs. We need a place where operators can discuss and document BCOPs. Lee
Lee, On Jan 8, 2011, at 4:40 AM, Lee Howard wrote:
I think that's a bit of what we've been trying to do with the Best Current Operational Practices BoFs. We need a place where operators can discuss and document BCOPs.
While I think BCOPs (and BCOP BoFs) are a great idea, I guess the question is how can folks be assured that ARIN would follow a NANOG community-defined BCOP relating directly to ARIN operations. For example, if the NANOG community were to (reasonably) say "BCOP is to use IETF-defined standards for publishing and accessing resource registration data", I'd imagine ARIN might (reasonably) disagree and continue down the RWS path. I suspect part of the issue is that ARIN is a monopoly provider of a variety public services that folks unrelated (directly) to ARIN must make use of. In other areas of public service provision, there are things like public utilities commissions that (in theory) ensure the monopoly service provider acts in the public benefit when services are added/changed/deleted. My impression is that the various WGs and SIGs in the other RIRs perform something similar to that function. There doesn't appear to be anything similar in the ARIN region. Regards, -drc
I suspect part of the issue is that ARIN is a monopoly provider of a variety public services that folks unrelated (directly) to ARIN must make use of. In other areas of public service provision, there are things like public utilities commissions that (in theory) ensure the monopoly service provider acts in the public benefit when services are added/changed/deleted. My impression is that the various WGs and SIGs in the other RIRs perform something similar to that function. There doesn't appear to be anything similar in the ARIN region.
having worked closely with a number of other RIRs, sad to say that a lot still goes on under the table [0]. hence my cspan analogy, shed some light in the corners. the community should be transparent before wikileaks gets to us. :) randy -- [0] - an old sardonic comment of mine on ripe is that it is a bottom up organization, and daniel and rob are at the bottom. and wear thick rubber/leather gloves when entering apnic.
On Jan 8, 2011, at 1:15 PM, David Conrad wrote:
Lee,
On Jan 8, 2011, at 4:40 AM, Lee Howard wrote:
I think that's a bit of what we've been trying to do with the Best Current Operational Practices BoFs. We need a place where operators can discuss and document BCOPs.
While I think BCOPs (and BCOP BoFs) are a great idea, I guess the question is how can folks be assured that ARIN would follow a NANOG community-defined BCOP relating directly to ARIN operations. For example, if the NANOG community were to (reasonably) say "BCOP is to use IETF-defined standards for publishing and accessing resource registration data", I'd imagine ARIN might (reasonably) disagree and continue down the RWS path.
I suspect part of the issue is that ARIN is a monopoly provider of a variety public services that folks unrelated (directly) to ARIN must make use of. In other areas of public service provision, there are things like public utilities commissions that (in theory) ensure the monopoly service provider acts in the public benefit when services are added/changed/deleted. My impression is that the various WGs and SIGs in the other RIRs perform something similar to that function. There doesn't appear to be anything similar in the ARIN region.
Regards, -drc
In ARIN, there are things like BoT elections and the BoT very much fulfills the role of the PUC as you describe above. People can submit requests for operational changes to ARIN through the ACSP and in my experience they get a good review and comment period by the community and the board listens to these things and responds appropriately. Especially if a suggestion receives significant support, it tends to get implemented. Owen
Owen, On Jan 8, 2011, at 8:56 PM, Owen DeLong wrote:
I suspect part of the issue is that ARIN is a monopoly provider of a variety public services that folks unrelated (directly) to ARIN must make use of. In other areas of public service provision, there are things like public utilities commissions that (in theory) ensure the monopoly service provider acts in the public benefit when services are added/changed/deleted. My impression is that the various WGs and SIGs in the other RIRs perform something similar to that function. There doesn't appear to be anything similar in the ARIN region.
In ARIN, there are things like BoT elections and the BoT very much fulfills the role of the PUC as you describe above.
Well, ARIN BoT members are fiduciarily responsible for ARIN. PUC members, to my understanding, are responsible to the public. In my experience on ARIN's board, the key role of the board was to ensure the public policy process was followed, not oversight of how public services are provided. However, things might have changed -- that was some time ago.
People can submit requests for operational changes to ARIN through the ACSP and in my experience they get a good review and comment period by the community
Which community? ARIN or NANOG?
and the board listens to these things and responds appropriately.
Somewhat as an aside, I'm a bit surprised the board would get involved at the level of detail this implies. I would've thought how public services are to be provided would be an operational decision made by the ARIN CEO/staff and that the board would only get involved to ensure sufficient resources were available.
Especially if a suggestion receives significant support, it tends to get implemented.
My impression of the concern is that the definition of support and decisions regarding what gets implemented are made within a subset of the network operations community. Regards, -drc
On Jan 10, 2011, at 8:23 PM, David Conrad wrote:
Owen,
On Jan 8, 2011, at 8:56 PM, Owen DeLong wrote:
I suspect part of the issue is that ARIN is a monopoly provider of a variety public services that folks unrelated (directly) to ARIN must make use of. In other areas of public service provision, there are things like public utilities commissions that (in theory) ensure the monopoly service provider acts in the public benefit when services are added/changed/deleted. My impression is that the various WGs and SIGs in the other RIRs perform something similar to that function. There doesn't appear to be anything similar in the ARIN region.
In ARIN, there are things like BoT elections and the BoT very much fulfills the role of the PUC as you describe above.
Well, ARIN BoT members are fiduciarily responsible for ARIN. PUC members, to my understanding, are responsible to the public. In my experience on ARIN's board, the key role of the board was to ensure the public policy process was followed, not oversight of how public services are provided. However, things might have changed -- that was some time ago.
Yes, ARIN BoT members have fiduciary responsibility for ARIN. However, the ARIN charter is not the same as most corporations. Indeed, as I understand it, the ARIN charter requires that ARIN disband itself if that is determined to be what is in the best interests of the community. The board is accountable to the ARIN membership, which includes all subscriber ISPs and others who pay their annual membership dues. I believe the board both ensures that the public policy process is followed and performs other executive management and leadership functions governing the operations of ARIN at a high level. Obviously most of the day-to-day decision making for that is vested in the CEO who also sits on the board.
People can submit requests for operational changes to ARIN through the ACSP and in my experience they get a good review and comment period by the community
Which community? ARIN or NANOG?
Those who subscribe to PPML. If you are interested in having a voice in ARIN policies or how ARIN operates, it's essential to be on that list.
and the board listens to these things and responds appropriately.
Somewhat as an aside, I'm a bit surprised the board would get involved at the level of detail this implies. I would've thought how public services are to be provided would be an operational decision made by the ARIN CEO/staff and that the board would only get involved to ensure sufficient resources were available.
For the most part, it is. However, if the community is asking for something ARIN isn't doing or pushing for ARIN to change how it does something, the board tends to at least review the matter.
Especially if a suggestion receives significant support, it tends to get implemented.
My impression of the concern is that the definition of support and decisions regarding what gets implemented are made within a subset of the network operations community.
Anyone who wants to participate can join the mailing list and do so. I'm not sure how you would extend it to a wider group without seriously diminishing returns. Owen
On Jan 8, 2011, at 4:40 AM, Lee Howard wrote:
I think that's a bit of what we've been trying to do with the Best Current Operational Practices BoFs. We need a place where operators can discuss and document BCOPs.
While I think BCOPs (and BCOP BoFs) are a great idea, I guess the question is how can folks be assured that ARIN would follow a NANOG community-defined BCOP relating directly to ARIN operations. For example, if the NANOG community were to (reasonably) say "BCOP is to use IETF-defined standards for publishing and accessing resource registration data", I'd imagine ARIN might (reasonably) disagree and continue down the RWS path.
provision, there are things like public utilities commissions that (in
monopoly service provider acts in the public benefit when services are added/changed/deleted. My impression is that the various WGs and SIGs in
I don't think of BCOP as a subset of NANOG, but as an overlap of several communities, including NANOG and ARIN. Certainly ARIN is not bound by BCOP's findings (no one would be), but the AC and Board would take seriously a community-consensus best practice. I doubt ARIN would be surprised by any BCOP finding, given the involvement of several ARIN AC members in it. theory) ensure the the other RIRs
perform something similar to that function. There doesn't appear to be anything similar in the ARIN region.
Are you saying ARIN needs an ombudsman function to make sure the Board doesn't delay implementation of things the community wants while it figures out whether doing such things will prevent it from doing other things the community wants? I don't understand how this bee-watcher-watcher thing works. Lee
Lee, On Jan 9, 2011, at 8:40 AM, Lee Howard wrote:
Are you saying ARIN needs an ombudsman function to make sure the Board doesn't delay implementation of things the community wants while it figures out whether doing such things will prevent it from doing other things the community wants?
No (or at least I don't think so -- I have difficulty parsing that sentence). I'm suggesting that the informal input mechanisms historically and currently used by ARIN to determine what should be done (and to some extent how) may be insufficient, inefficient, and/or imply certain risks given that many of the services provided by ARIN are done on a monopoly basis and failure of those service could have global effect. Or not. It may be that network operators (not just the ones that show up at ARIN meetings and are on PPML) are happy with the existing communication channels and that additional structures to encourage participation and input in the ARIN region regarding services ARIN provides to the public are unnecessary.
I don't understand how this bee-watcher-watcher thing works.
Sorry, which? Regards, -drc
On 1/11/2011 12:57 AM, David Conrad wrote:
Or not. It may be that network operators (not just the ones that show up at ARIN meetings and are on PPML) are happy with the existing communication channels and that additional structures to encourage participation and input in the ARIN region regarding services ARIN provides to the public are unnecessary.
Public easily reachable people. Public information on operations and what they do on their website with tons of pointers (even if it's not laid out the best). Public participation mailing lists. Presence of key people on other lists such as nanog. What more is an org supposed to do to communicate with people? Even the CEO lurks on nanog and responds when necessary. What community were you wanting them to interface with? I could be wrong, but I suspect any genius ideas which the CEO hears via the various communication mediums may quickly find it's way to be implemented. Sure, it may get restricted to some degree depending on how people in PPML feel about it. I'm sure the membership has some say on how their money is spent. Neither of these things limit the ability to suggest an idea. Jack
On Jan 11, 2011, at 6:15 AM, Jack Bates wrote:
On 1/11/2011 12:57 AM, David Conrad wrote:
Or not. It may be that network operators (not just the ones that show up at ARIN meetings and are on PPML) are happy with the existing communication channels and that additional structures to encourage participation and input in the ARIN region regarding services ARIN provides to the public are unnecessary.
Public easily reachable people. Public information on operations and what they do on their website with tons of pointers (even if it's not laid out the best). Public participation mailing lists. Presence of key people on other lists such as nanog.
What more is an org supposed to do to communicate with people? Even the CEO lurks on nanog and responds when necessary. What community were you wanting them to interface with? I could be wrong, but I suspect any genius ideas which the CEO hears via the various communication mediums may quickly find it's way to be implemented. Sure, it may get restricted to some degree depending on how people in PPML feel about it. I'm sure the membership has some say on how their money is spent. Neither of these things limit the ability to suggest an idea.
Jack
Just to be clear... Participation in PPML is open to ANYONE, not just ARIN members. There are a lot of non-members on PPML and their voices count just as much as members on that list. Owen
On Jan 5, 2011, at 5:32 PM, Randy Bush wrote:
1) If ARIN doesn't provide the level of authentication you desire, as an ARIN member you should send a note to ppml each day until it's available
this is not address policy. this is ops. surely one does not have to dirty one's self with the ppml list to get an ops fix done in arin. it is not address policy.
i have a rumor that arin is delaying and possibly not doing rpki that seems to have been announced on the ppml list (to which i do not subscribe). as it has impact on routing, not address policy, across north america and, in fact the globe, one would think it would be announced and discussed a bit more openly and widely.
Randy - Excellent point; my apologies for not realizing this sooner and posting some information directly for consideration by the NANOG community. Attached is a message from the arin-discuss mailing list which has some more context; please feel free to discuss this on the arin-discuss mailing list or here on NANOG (as appropriate) Thanks! /John Begin forwarded message:
From: John Curran <jcurran@arin.net> Date: January 6, 2011 11:08:39 AM EST To: "George, Wes E [NTK]" <Wesley.E.George@sprint.com> Cc: "arin-discuss@arin.net" <arin-discuss@arin.net> Subject: Re: [arin-discuss] Important Update Regarding Resource Certification
On Jan 6, 2011, at 9:32 AM, George, Wes E [NTK] wrote:
There have been some threads about this on NANOG in the last few days. Can we get a bit clearer explanation of what the specific security concerns are and why they are delaying things? It may also make sense for someone from ARIN to post to NANOG with an explanation as well. If there are security concerns, it is something that the community should be aware of in case other RIRs or the SIDR WG need to be considering those issues as well.
Thanks, Wes George
George -
The security concerns are not specificly related to the RPKI protocol, but inherent implications of any service that might be heavily relied upon for real-time network operations, i.e. I don't think it's a SIDR WG matter, but simply part of the due diligence associated with the service as noted below.
While the RIRs presently provide services which are used to support operations (such as WHOIS and Reverse DNS services), failure of RIR resource certification services could have some very significant consequences, particularly in the case of incorrect data as opposed to simply unavailable data. There are some potential liability implications of operating such a service that ARIN is presently reviewing in depth. I need to also note that these issues exist even in the case of a perfectly secure and operational service, in that an error by an ISP using ARIN's services (e.g. having entered the wrong AS number into a ROA for a major customer) could result in ARIN needing to readily "prove" the integrity of its resource certification system as well as fidelity of performance against the operators request.
This has led ARIN to consider some aspects of its resource certification design, specifically to mitigate potential risks in the areas of non-repudiation and multi-party controls. Even so, the ultimate decision in these matters lies with the ARIN Board, as there is always going to be residual risk associated with any operations-related service provided by ARIN (note also that we have also discussed these issues with the other RIRs, but as they don't operate in ARIN's highly-litigous region, it is not necessarily a similar priority for their consideration)
To the extent that ARIN offering resource certification services is important to your plans, it would good to express such needs on the arin-discuss mailing list. This helps us gauge the demand which obviously is another important factor to be considered in making the final determination on offering these services.
We intend to have more detailed information out later this month once the plans for finalized, but I hope the above information provides some insight into the process at this point. I will post this to the NANOG list for the community's information.
Thanks! /John
John Curran President and CEO ARIN
p.s. I'm presently on a Caribbean cruise ship on a bona fide family vacation, so please recognize that replies may be deferred to off hours so that my laptop isn't thrown overboard... ;-)
hi john, sorry to disturb your cruise. as you know, from the get go, the hierarchic nature of the pki has worried the ops folk involved. this is why documents such as draft-ietf-sidr-rpki-origin-ops-00.txt say things such as RPKI-based origin validation has been designed so that, with prudent local routing policies, there is no liability that normal Internet routing is threatened by unprudent deployment of the global RPKI, see Section 5. ... 5. Routing Policy Origin validation based on the RPKI merely marks a received announcement as having an origin which is Validated, Unknown, or Invalid. How this is used in routing is up to the router operator's local policy. See [I-D.pmohapat-sidr-pfx-validate]. Reasonable application of local policy should be designed eliminate the threat of unroutability of prefixes due to ill-advised or incorrect certification policies. As origin validation will be rolled out over years coverage will be spotty for a long time. Hence a normal operator's policy should not be overly strict, perhaps preferring valid announcements and giving very low preference, but still using, invalid announcements. Some may choose to use the large Local-Preference hammer. Others might choose to let AS-Path rule and set their internal metric, which comes after AS-Path in the BGP decision process. Certainly, routing on unknown validity state will be prevalent for a long time. Until the community feels comfortable relying on RPKI data, routing on invalid origin validity, though at a low preference, may be prevalent for a long time. Announcements with valid origins SHOULD be preferred over those with unknown or invalid origins. Announcements with unvalidatable origins SHOULD be preferred over those with invalid origins. Announcements with invalid origins MAY be used, but SHOULD be less preferred than those with valid or unknown. of course, in the US, this will not prevent litigation. nothing will. it's a mental disease. randy
participants (16)
-
Charles Gucker
-
Charles N Wyble
-
Christopher Morrow
-
Craig Pierantozzi
-
David Conrad
-
Jack Bates
-
Jared Mauch
-
Jay Coley
-
Jeff Wheeler
-
Joe Abley
-
John Curran
-
Jon Lewis
-
Lee Howard
-
Owen DeLong
-
Randy Bush
-
Randy Epstein