can you find the fatal flaw? [ hint: how does an isp in phnom penh validate my route? ] randy
On 9/5/12 3:26 AM, "Randy Bush" <randy@psg.com> wrote:
can you find the fatal flaw?
[ hint: how does an isp in phnom penh validate my route? ]
randy
Hi Randy Your question is a bit cryptic. Could you be more specific about your concern? Thanks, Mark
I think Randy meant to imply that requiring anyone that wants to actually use the RPKI to make a legal agreement with ARIN might not be the best way to encourage deployment. On Wed, Sep 5, 2012 at 2:56 PM, Mark Kosters <markk@arin.net> wrote:
On 9/5/12 3:26 AM, "Randy Bush" <randy@psg.com> wrote:
can you find the fatal flaw?
[ hint: how does an isp in phnom penh validate my route? ]
randy
Hi Randy
Your question is a bit cryptic. Could you be more specific about your concern?
Thanks, Mark
On Wed, Sep 5, 2012 at 3:05 PM, Richard Barnes <richard.barnes@gmail.com> wrote:
I think Randy meant to imply that requiring anyone that wants to actually use the RPKI to make a legal agreement with ARIN might not be
define 'use'... o 'stick their objects into the repo' sure a contract sounds good o 'access the repo to download content' - no, that doesn't sound like it needs a contract is this a messaging problem/issue or did ARIN mean that 'to download content you must sign an agreement/contract with ARIN?' (I hope that the answer is: "of course not! that sounds silly... our messaging could be improved") a closer (by me) reading of: " In order to access the production RPKI TAL, you will first have to agree to ARIN's Relying Party Agreement before the TAL will be emailed to you. To request the TAL after the production release, follow this link: http://www.arin.net/public/rpki/tal/index.xhtml" though kinda leads me into the hole randy/richard fell into... 'to poke the TAL and figure out where things are, you have to sign an agreement'. Isn't the structure of the global system something like: "each asn has a publication point, potentially some share publication-points, everyone has to access everyone else's publication point" and 'TAL' ... seems like odd to me as an RP, don't I want the one TA from IANA (yes, eventually) or at the very least the 1 from each RIR ? (which is a simple single item to download and use in validating the content I get from all the rest of the world?) -chris
the best way to encourage deployment.
On Wed, Sep 5, 2012 at 2:56 PM, Mark Kosters <markk@arin.net> wrote:
On 9/5/12 3:26 AM, "Randy Bush" <randy@psg.com> wrote:
can you find the fatal flaw?
[ hint: how does an isp in phnom penh validate my route? ]
randy
Hi Randy
Your question is a bit cryptic. Could you be more specific about your concern?
Thanks, Mark
On Wed, Sep 5, 2012 at 7:24 PM, Christopher Morrow <morrowc.lists@gmail.com> wrote: .....
a closer (by me) reading of: " In order to access the production RPKI TAL, you will first have to agree to ARIN's Relying Party Agreement before the TAL will be emailed to you. To request the TAL after the production release, follow this link: http://www.arin.net/public/rpki/tal/index.xhtml"
though kinda leads me into the hole randy/richard fell into... 'to poke the TAL and figure out where things are, you have to sign an agreement'.
My interpretation was what Randy implied, and that ARIN wants an agreement with everyone who gets a (presumably unique to the agreement) TAL to protect ARIN. That would seem like a lot of overhead to maintain to me (since as I recall a TAL may never, ever (ok, very rarely) change), but then appropriate risk management has always been an interesting thing to watch in the (potentially litigious) ARIN region. Gary
On Sep 5, 2012, at 3:32 PM, Gary Buhrmaster wrote:
My interpretation was what Randy implied, and that ARIN wants an agreement with everyone who gets a (presumably unique to the agreement) TAL to protect ARIN. That would seem like a lot of overhead to maintain to me (since as I recall a TAL may never, ever (ok, very rarely) change), but then appropriate risk management has always been an interesting thing to watch in the (potentially litigious) ARIN region.
I'll let Randy speak for Randy (only he could do such a fine job). I do agree with Chris (and many others) that this whole thing falls apart pretty quickly without a single root (e.g., think of the browser CA problem) -- for many reasons. I'd wager what ARIN is going to do in said "Relying Party Agreement" is tell RPs (i.e., *relying* parties) that they ought not rely to much on the data for routing, and if they do and something gets hosed, ARIN's not at fault -- but I'll wait to read the actual agreement before speculating more. -danny
I'd wager what ARIN is going to do in said "Relying Party Agreement" is tell RPs (i.e., *relying* parties) that they ought not rely to much on the data for routing, and if they do and something gets hosed, ARIN's not at fault -- but I'll wait to read the actual agreement before speculating more.
that too is my *speculation*. which would be interesting, as accurate primary data is arin's primary responsibility. but anyone who has looked at any of the rirs' data seriously needed a strong stomach. randy
On Sep 5, 2012, at 8:24 PM, Christopher Morrow <morrowc.lists@gmail.com> wrote:
" In order to access the production RPKI TAL, you will first have to agree to ARIN's Relying Party Agreement before the TAL will be emailed to you. To request the TAL after the production release, follow this link: http://www.arin.net/public/rpki/tal/index.xhtml"
If a relying party's use of PKI infrastructure legally equated to acceptance of the relying party agreement (RPA), then having an explicit record of acceptance of the RPA would not be necessary. Alas, it does not appear possible to equate use of PKI certificates with agreement to the associated RPA (and some might argue that this is a feature, as some folks would not want to be legally bound to an agreement which they did not explicitly review and accept.) FYI, /John
On Thu, Sep 6, 2012 at 5:37 AM, John Curran <jcurran@arin.net> wrote:
If a relying party's use of PKI infrastructure legally equated to acceptance of the relying party agreement (RPA), then having an explicit record of acceptance of the RPA would not be necessary.
Alas, it does not appear possible to equate use of PKI certificates with agreement to the associated RPA (and some might argue that this is a feature, as some folks would not want to be legally bound to an agreement which they did not explicitly review and accept.)
John, Randy: I'm confused. Are you saying that unlike a whois lookup, I'll need a contract with ARIN to look up and validate someone else's RPKI certificate? Would you clarify which parts of RPKI I need a contract with ARIN to do and which parts I do not? Thanks, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
If a relying party's use of PKI infrastructure legally equated to acceptance of the relying party agreement (RPA), then having an explicit record of acceptance of the RPA would not be necessary.
Alas, it does not appear possible to equate use of PKI certificates with agreement to the associated RPA (and some might argue that this is a feature, as some folks would not want to be legally bound to an agreement which they did not explicitly review and accept.)
do you have a r&d group devoted to how much you can delay, damage, warp, half-assed implement, ... rpki? look around you at the real world, the other rirs (especiall ripe/ncc), etc. the only part of it where arin seems to be doing a serious job is bs generation. thanks. randy
On Sep 7, 2012, at 7:31 AM, Randy Bush <randy@psg.com> wrote:
If a relying party's use of PKI infrastructure legally equated to acceptance of the relying party agreement (RPA), then having an explicit record of acceptance of the RPA would not be necessary.
Alas, it does not appear possible to equate use of PKI certificates with agreement to the associated RPA (and some might argue that this is a feature, as some folks would not want to be legally bound to an agreement which they did not explicitly review and accept.)
do you have a r&d group devoted to how much you can delay, damage, warp, half-assed implement, ... rpki? look around you at the real world, the other rirs (especiall ripe/ncc), etc. the only part of it where arin seems to be doing a serious job is bs generation. thanks.
Good morning Randy - Are you indicating that RPKI services should be offered without any RPA (and/or CPS) at all, or that these agreements should legally adhere without explicit agreement? There is an statement expressing that CPS or RPA might benefit from the latter treatment in section 3.4 of the Internet PKI framework (RFC 3647), but it does not actually hold legally true at the present time. If you have more insight or clarity on this matter, it would be most welcome. Thanks! /John John Curran President and CEO ARIN
Good morning Randy -
it is late afternoon
Are you indicating that RPKI services should be offered without any RPA (and/or CPS) at all, or that these agreements should legally adhere without explicit agreement? There is an statement expressing that CPS or RPA might benefit from the latter treatment in section 3.4 of the Internet PKI framework (RFC 3647), but it does not actually hold legally true at the present time. If you have more insight or clarity on this matter, it would be most welcome.
does arin run an irr instance? how much legal bs have you wrapped around it? randy
On Sep 7, 2012, at 7:55 AM, Randy Bush <randy@psg.com> wrote:
Good morning Randy -
it is late afternoon
Indeed... that may contribute significantly to the difference in perspective. In the US, little details such as legal structures often take on greater importance than would be otherwise warranted.
Are you indicating that RPKI services should be offered without any RPA (and/or CPS) at all, or that these agreements should legally adhere without explicit agreement? There is an statement expressing that CPS or RPA might benefit from the latter treatment in section 3.4 of the Internet PKI framework (RFC 3647), but it does not actually hold legally true at the present time. If you have more insight or clarity on this matter, it would be most welcome.
does arin run an irr instance?
Yes.
how much legal bs have you wrapped around it?
If we were establishing it today, I do not know what, if any, legal machinations would be needed. This is similar to RFCs, which were published first without any preamble but now have significant legal structure at the front. FYI, /John John Curran President and CEO ARIN
[ hint: how does an isp in phnom penh validate my route? ] Your question is a bit cryptic.
moi? :)
Could you be more specific about your concern?
essentially, as the rirs have resisted iana being the root ta, the arin tal is necessary for anyone to validate anything which dependa on the arin data. effectively you are requiring every router operator in the world to sign your document. does not work. randy
participants (8)
-
Christopher Morrow -
Danny McPherson -
Gary Buhrmaster -
John Curran -
Mark Kosters -
Randy Bush -
Richard Barnes -
William Herrin