On Sun, 2 Aug 2020 18:52:11 +0000 Randy Bush <randy@psg.com> wrote:
not to mention the ARIN stupidity
Notwithstanding the RPA, downloading ARIN's TAL is straightforward: As documented here: <https://www.arin.net/resources/manage/rpki/tal/> One can wget, curl, or whatever this: <https://www.arin.net/resources/manage/rpki/arin.tal> John
On Mon, Aug 03, 2020 at 08:17:55AM -0500, John Kristoff wrote:
On Sun, 2 Aug 2020 18:52:11 +0000 Randy Bush <randy@psg.com> wrote:
not to mention the ARIN stupidity
Notwithstanding the RPA, downloading ARIN's TAL is straightforward:
As documented here:
<https://www.arin.net/resources/manage/rpki/tal/>
One can wget, curl, or whatever this:
I dunno, 'straightforward' to me would mean the ARIN TA is installed by default when you install a RPKI Cache Validator implementation, all without requiring lawyers well-versed in both your native language AND in the American legal system. I can do DNSSEC, RPKI ROV, Signify, Web PKIs like TLS - all without kludges. Here is a video (10 min) where I show how you can bootstrap a system from 0 to 100 without relying party agreements: https://www.youtube.com/watch?v=oBwAQep7Q7o The highlight of the video is when I access ARIN's website over HTTPS, after having resolved their webserver's IP address with a DNSSEC validating recursor... to discover I need to get a lawyer to download a .tal file which exists to protect *ARIN* members. Shouldn't ARIN members demand that the process is as frictionless as possible? (both the new and old RPA are the opposite of frictionless). ARIN members (the RPKI users) depend on network operators both inside and outside the ARIN region to honor their ROAs. The internet is global. The ARIN ROA's will not be honored if the ARIN .tal file is missing. The ARIN .tal file is missing because it cannot be included in open source software without making things very awkward. It is an insane situation. ARIN resource holders using ARIN's RPKI TA are measurably *less* protected than their RIPE, APNIC, LACNIC and AFRINIC counterparts. Get this: When you transfer your IP space away from ARIN, to *ANY* other RIR, you'll derive *MORE* benefits from your RPKI ROA signing efforts. You don't even need to renumber out of your space to improve your routing security posture! I believe ARIN's policy to institute a significant legal barrier to RPKI infrastructure negatively impacts ARIN's own members. Imagine having to sign a contract with DigiCert to obtain the public key to be able to visit https://paypal.com. Ha-ha-ha-ha... folly. It would be bad for business. Kind regards, Job
On Aug 3, 2020, at 07:54 , Job Snijders <job@ntt.net> wrote:
On Mon, Aug 03, 2020 at 08:17:55AM -0500, John Kristoff wrote:
On Sun, 2 Aug 2020 18:52:11 +0000 Randy Bush <randy@psg.com> wrote:
not to mention the ARIN stupidity
Notwithstanding the RPA, downloading ARIN's TAL is straightforward:
As documented here:
<https://www.arin.net/resources/manage/rpki/tal/>
One can wget, curl, or whatever this:
I dunno, 'straightforward' to me would mean the ARIN TA is installed by default when you install a RPKI Cache Validator implementation, all without requiring lawyers well-versed in both your native language AND in the American legal system.
I was able to download it just now without any authentication, lawyers, contracts, or anything elseā¦ What more is it you are asking for?
I can do DNSSEC, RPKI ROV, Signify, Web PKIs like TLS - all without kludges. Here is a video (10 min) where I show how you can bootstrap a system from 0 to 100 without relying party agreements: https://www.youtube.com/watch?v=oBwAQep7Q7o
I just obtained the ARIN TAL without ever signing an RPA. What am I missing? All I did was follow the URL John provided. Owen
While I certainly agree with you, I have a certainly-naive question - what the difference is between ARIN and RIPE's T&C: Aug 3 19:07:15 rpki-validator rpki-client[16164]: The RIPE NCC Certification Repository is subject to Terms and Conditions Aug 3 19:07:15 rpki-validator rpki-client[16164]: See http://www.ripe.net/lir-services/ncc/legal/certification/repository-tc As far as I understand, to use RIPE's RPKI repo I have to similarly agree with RIPE's legal contract as well, though they are somewhat less aggressive about making sure I check a box before using it. Matt On 8/3/20 10:54 AM, Job Snijders wrote:
On Mon, Aug 03, 2020 at 08:17:55AM -0500, John Kristoff wrote:
On Sun, 2 Aug 2020 18:52:11 +0000 Randy Bush <randy@psg.com> wrote:
not to mention the ARIN stupidity
Notwithstanding the RPA, downloading ARIN's TAL is straightforward:
As documented here:
<https://www.arin.net/resources/manage/rpki/tal/>
One can wget, curl, or whatever this:
I dunno, 'straightforward' to me would mean the ARIN TA is installed by default when you install a RPKI Cache Validator implementation, all without requiring lawyers well-versed in both your native language AND in the American legal system.
I can do DNSSEC, RPKI ROV, Signify, Web PKIs like TLS - all without kludges. Here is a video (10 min) where I show how you can bootstrap a system from 0 to 100 without relying party agreements: https://www.youtube.com/watch?v=oBwAQep7Q7o
The highlight of the video is when I access ARIN's website over HTTPS, after having resolved their webserver's IP address with a DNSSEC validating recursor... to discover I need to get a lawyer to download a .tal file which exists to protect *ARIN* members. Shouldn't ARIN members demand that the process is as frictionless as possible? (both the new and old RPA are the opposite of frictionless).
ARIN members (the RPKI users) depend on network operators both inside and outside the ARIN region to honor their ROAs. The internet is global. The ARIN ROA's will not be honored if the ARIN .tal file is missing. The ARIN .tal file is missing because it cannot be included in open source software without making things very awkward.
It is an insane situation. ARIN resource holders using ARIN's RPKI TA are measurably *less* protected than their RIPE, APNIC, LACNIC and AFRINIC counterparts.
Get this:
When you transfer your IP space away from ARIN, to *ANY* other RIR, you'll derive *MORE* benefits from your RPKI ROA signing efforts. You don't even need to renumber out of your space to improve your routing security posture!
I believe ARIN's policy to institute a significant legal barrier to RPKI infrastructure negatively impacts ARIN's own members.
Imagine having to sign a contract with DigiCert to obtain the public key to be able to visit https://paypal.com. Ha-ha-ha-ha... folly. It would be bad for business.
Kind regards,
Job
I dunno, 'straightforward' to me would mean the ARIN TA is installed by default when you install a RPKI Cache Validator implementation
uh, i want a trustable downlad of trust anchors. and it ain't from vendors. but yes, arin's legal dos it typical arin. but, if i ignore the bumph, i can connect to their web site dnssec, tls, ... and get a viable TAL which meets RFC specs. that seems to me more than one can say for some other RIRs. randy
participants (5)
-
Job Snijders
-
John Kristoff
-
Matt Corallo
-
Owen DeLong
-
Randy Bush