Hi Nanog, Does anyone have any inside information what may be happening in the effort to have a single trust anchor for RPKI? Is ICANN still working on this? If so is there any timeline or published info of any kind? Most of the information i can find is about 2 years old. Any links or info of any kind would be much appreciated. Thanks, Marcel Plug
NRO, the RIRs collective, is still working on this. It's listed as an open action item since Q2 this CY at NRO Executive Council meetings: http://www.nro.net It's very unlikely that ICANN, which sees the NRO as it's address support organization, will move on this before NRO does. Rubens On Mon, Aug 5, 2013 at 3:26 PM, Marcel Plug <marcelplug@gmail.com> wrote:
Hi Nanog,
Does anyone have any inside information what may be happening in the effort to have a single trust anchor for RPKI? Is ICANN still working on this? If so is there any timeline or published info of any kind?
Most of the information i can find is about 2 years old.
Any links or info of any kind would be much appreciated.
Thanks,
Marcel Plug
Actually, ICANN had an RPKI pilot in operation back in 1996 or so. For political reasons (as far as I can tell), the RIRs refused to let ICANN/IANA play. Unless the RIRs are willing to accept ICANN/IANA as the root TA as recommended by the IAB, ICANN can't move forward. Regards, -drc ---- Mobile device, sorry about tpyos On Aug 5, 2013, at 11:59 AM, Rubens Kuhl <rubensk@gmail.com> wrote:
NRO, the RIRs collective, is still working on this. It's listed as an open action item since Q2 this CY at NRO Executive Council meetings: http://www.nro.net
It's very unlikely that ICANN, which sees the NRO as it's address support organization, will move on this before NRO does.
Rubens
On Mon, Aug 5, 2013 at 3:26 PM, Marcel Plug <marcelplug@gmail.com> wrote:
Hi Nanog,
Does anyone have any inside information what may be happening in the effort to have a single trust anchor for RPKI? Is ICANN still working on this? If so is there any timeline or published info of any kind?
Most of the information i can find is about 2 years old.
Any links or info of any kind would be much appreciated.
Thanks,
Marcel Plug
I think David meant 2006, not 1996. -Barb Roseman On 8/5/13 12:08 PM, "David Conrad" <drc@virtualized.org> wrote:
Actually, ICANN had an RPKI pilot in operation back in 1996 or so. For political reasons (as far as I can tell), the RIRs refused to let ICANN/IANA play. Unless the RIRs are willing to accept ICANN/IANA as the root TA as recommended by the IAB, ICANN can't move forward.
Regards, -drc ---- Mobile device, sorry about tpyos
On Aug 5, 2013, at 11:59 AM, Rubens Kuhl <rubensk@gmail.com> wrote:
NRO, the RIRs collective, is still working on this. It's listed as an open action item since Q2 this CY at NRO Executive Council meetings: http://www.nro.net
It's very unlikely that ICANN, which sees the NRO as it's address support organization, will move on this before NRO does.
Rubens
On Mon, Aug 5, 2013 at 3:26 PM, Marcel Plug <marcelplug@gmail.com> wrote:
Hi Nanog,
Does anyone have any inside information what may be happening in the effort to have a single trust anchor for RPKI? Is ICANN still working on this? If so is there any timeline or published info of any kind?
Most of the information i can find is about 2 years old.
Any links or info of any kind would be much appreciated.
Thanks,
Marcel Plug
Barb, You've apparently forgotten ICANN's time distortion field (which they'll be inventing very shortly with the zillions of dollars they'll get from the new gTLD program). Err, yeah. 2006. Apologies -- typing on a cellphone can be distracting. Regards, -drc On Aug 5, 2013, at 3:22 PM, Barbara Roseman <barbara.roseman@icann.org> wrote:
I think David meant 2006, not 1996.
-Barb Roseman
On 8/5/13 12:08 PM, "David Conrad" <drc@virtualized.org> wrote:
Actually, ICANN had an RPKI pilot in operation back in 1996 or so. For political reasons (as far as I can tell), the RIRs refused to let ICANN/IANA play. Unless the RIRs are willing to accept ICANN/IANA as the root TA as recommended by the IAB, ICANN can't move forward.
Regards, -drc ---- Mobile device, sorry about tpyos
On Aug 5, 2013, at 11:59 AM, Rubens Kuhl <rubensk@gmail.com> wrote:
NRO, the RIRs collective, is still working on this. It's listed as an open action item since Q2 this CY at NRO Executive Council meetings: http://www.nro.net
It's very unlikely that ICANN, which sees the NRO as it's address support organization, will move on this before NRO does.
Rubens
On Mon, Aug 5, 2013 at 3:26 PM, Marcel Plug <marcelplug@gmail.com> wrote:
Hi Nanog,
Does anyone have any inside information what may be happening in the effort to have a single trust anchor for RPKI? Is ICANN still working on this? If so is there any timeline or published info of any kind?
Most of the information i can find is about 2 years old.
Any links or info of any kind would be much appreciated.
Thanks,
Marcel Plug
Actually, ICANN had an RPKI pilot in operation back in 1996 or so. For political reasons (as far as I can tell), the RIRs refused to let ICANN/IANA play. Unless the RIRs are willing to accept ICANN/IANA as the root TA as recommended by the IAB, ICANN can't move forward.
the rirs should get their next (ipv6) address allocations from the nro pool, eh?
On Aug 5, 2013, at 2:26 PM, Marcel Plug <marcelplug@gmail.com> wrote:
Hi Nanog,
Does anyone have any inside information what may be happening in the effort to have a single trust anchor for RPKI? Is ICANN still working on this? If so is there any timeline or published info of any kind?
Most of the information i can find is about 2 years old.
Any links or info of any kind would be much appreciated.
Hello Marcel - The IAB and the five RIRs have both indicated that it is desirable to have a single trust anchor for RPKI. The IAB made a statement in 2010 here <http://www.ietf.org/mail-archive/web/ietf-announce/current/msg07028.html> and in August 2011, the RIRs asked to meet with ICANN to work towards "an ICANN-hosted global trust anchor for the RPKI system." <http://www.nro.net/news/nro-communication-to-icann-on-rpki-global-trust-anchor> ICANN has indicated that it is willing to host such a service, and has included support for it within ICANN budget each year. Since that time, there has been quite a bit of technical work going on between the RIR's and ICANN's technical teams, including work to document some of the technical issues that might result from having a global trust anchor (if you are interested in those, you might want to follow the IETF sidr working group.) I would say that slow and steady progress is being made towards the technical ability to have a single global trust anchor (including understanding some of the more interesting things that happen with key roll-overs, blocks transfers between RIRs, etc.); my present estimate is that we'll have a solid understanding of technical steps and consequences for deploying a RPKI global trust anchor by the end of 2013. There is discussion of preparing a ICANN/RIR testbed at that time to demonstrate technical compatibility and functionality of the RPKI system while making use of a Global Trust Anchor. In parallel, there is another set of issues being worked, and that is engaging with the operator community in each region to understand their desire for having a global trust anchor. It has been noted that relying on such a construct will effectively create a single point of "control" for Internet operational routing (to the extent that folks everywhere begin actively validating routes using RPKI.) There is a single point of failure argument against a global trust anchor, as well as creation of a point of potential compromise, whether due to malfeasance or actual governmental interference. Note that these types of concerns are very similar to those faced by DNSSEC, and in that case they were able to be managed in an acceptable manner. The discussion of the merit of a single trust anchor is still ongoing among operators globally, and will need to reach convergence in order to proceed (in addition to the technical issues outlined above.) So, Marcel, please allow me to turn the question around... Do you do you believe that there should be an RPKI Global Trust Anchor? Are you concerned about the potential aggregation of control and risk that may result? (Feel free to answer me privately if you would prefer.) At the point in time when we understand the technical architecture being proposed and its implications, we will formally poll the ARIN and NANOG community on the question of whether there is support for having an RPKI Global Trust Anchor. My best estimate is that this will occur near the end of this year, but there's nothing wrong with having some discussion in the meantime if the mailing list is otherwise quiet. :-) I hope this provides some insight - thank you for asking about it, as it has been too long since any status update on this project (I will work on that as well for the very near future.) Thanks! /John John Curran President and CEO ARIN
On 08/05/2013 06:58 PM, John Curran wrote:
On Aug 5, 2013, at 2:26 PM, Marcel Plug <marcelplug@gmail.com> wrote:
Hi Nanog,
Does anyone have any inside information what may be happening in the effort to have a single trust anchor for RPKI? Is ICANN still working on this? If so is there any timeline or published info of any kind?
Most of the information i can find is about 2 years old.
Any links or info of any kind would be much appreciated.
Hello Marcel -
The IAB and the five RIRs have both indicated that it is desirable to have a single trust anchor for RPKI. The IAB made a statement in 2010 here <http://www.ietf.org/mail-archive/web/ietf-announce/current/msg07028.html> and in August 2011, the RIRs asked to meet with ICANN to work towards "an ICANN-hosted global trust anchor for the RPKI system." <http://www.nro.net/news/nro-communication-to-icann-on-rpki-global-trust-anchor> ICANN has indicated that it is willing to host such a service, and has included support for it within ICANN budget each year.
Since that time, there has been quite a bit of technical work going on between the RIR's and ICANN's technical teams, including work to document some of the technical issues that might result from having a global trust anchor (if you are interested in those, you might want to follow the IETF sidr working group.) I would say that slow and steady progress is being made towards the technical ability to have a single global trust anchor (including understanding some of the more interesting things that happen with key roll-overs, blocks transfers between RIRs, etc.); my present estimate is that we'll have a solid understanding of technical steps and consequences for deploying a RPKI global trust anchor by the end of 2013. There is discussion of preparing a ICANN/RIR testbed at that time to demonstrate technical compatibility and functionality of the RPKI system while making use of a Global Trust Anchor.
In parallel, there is another set of issues being worked, and that is engaging with the operator community in each region to understand their desire for having a global trust anchor. It has been noted that relying on such a construct will effectively create a single point of "control" for Internet operational routing (to the extent that folks everywhere begin actively validating routes using RPKI.) There is a single point of failure argument against a global trust anchor, as well as creation of a point of potential compromise, whether due to malfeasance or actual governmental interference. Note that these types of concerns are very similar to those faced by DNSSEC, and in that case they were able to be managed in an acceptable manner. The discussion of the merit of a single trust anchor is still ongoing among operators globally, and will need to reach convergence in order to proceed (in addition to the technical issues outlined above.)
So, Marcel, please allow me to turn the question around... Do you do you believe that there should be an RPKI Global Trust Anchor? Are you concerned about the potential aggregation of control and risk that may result? (Feel free to answer me privately if you would prefer.)
At the point in time when we understand the technical architecture being proposed and its implications, we will formally poll the ARIN and NANOG community on the question of whether there is support for having an RPKI Global Trust Anchor. My best estimate is that this will occur near the end of this year, but there's nothing wrong with having some discussion in the meantime if the mailing list is otherwise quiet. :-)
I hope this provides some insight - thank you for asking about it, as it has been too long since any status update on this project (I will work on that as well for the very near future.)
Thanks! /John
John Curran President and CEO ARIN
John, Thanks for the update! It's good to hear that progress is being made. Is there a place where the challenges and solutions are being discussed publicly? It's interesting that you raise DNSSEC in comparison since the two technologies have many similarities. One of the things that made DNSSEC successful was the wide-ranging public discussion that not only led to concerns that would likely not have been uncovered otherwise, but also solutions to those and other problems. Doug
On Aug 6, 2013, at 12:25 AM, Doug Barton <dougb@dougbarton.us> wrote:
John,
Thanks for the update! It's good to hear that progress is being made.
Is there a place where the challenges and solutions are being discussed publicly? It's interesting that you raise DNSSEC in comparison since the two technologies have many similarities. One of the things that made DNSSEC successful was the wide-ranging public discussion that not only led to concerns that would likely not have been uncovered otherwise, but also solutions to those and other problems.
Agreed. I believe that it is necessary to do the same with respect to any global trust anchor architecture for RPKI, and believe that much of this needs to take place initially in the IETF sidr working group. The first step of that process is to have an initial draft doc for discussion (which is presently being written by the ICANN/RIR technical folks.) FYI, /John John Curran President and CEO ARIN
Thanks for your detailed response John. Further comments inline. On Mon, Aug 5, 2013 at 9:58 PM, John Curran <jcurran@arin.net> wrote:
So, Marcel, please allow me to turn the question around... Do you do you believe that there should be an RPKI Global Trust Anchor? Are you concerned about the potential aggregation of control and risk that may result? (Feel free to answer me privately if you would prefer.)
Having a single root seems like the right way to go. There will always be the threat (real or imagined) of outside interference. For that reason I'm sure there will be a small droid army of independent systems monitoring and studying every change the Global Trust Anchor makes - ready to sound the alarm. It's probably easier to keep an eye on one trust anchor than it is to monitor 5 of them. All the other arguments I've heard are in favour of a one-TA system so I won't repeat them.
At the point in time when we understand the technical architecture being proposed and its implications, we will formally poll the ARIN and NANOG community on the question of whether there is support for having an RPKI Global Trust Anchor. My best estimate is that this will occur near the end of this year, but there's nothing wrong with having some discussion in the meantime if the mailing list is otherwise quiet. :-)
I hope this provides some insight - thank you for asking about it, as it has been too long since any status update on this project (I will work on that as well for the very near future.)
As I said, thanks for the update.
Thanks! /John
John Curran President and CEO ARIN
Marcel
participants (8)
-
Barbara Roseman -
David Conrad -
Doug Barton -
John Curran -
Marcel Plug -
Randy Bush -
Rubens Kuhl -
Valdis.Kletnieks@vt.edu