On Sat, Apr 28, 2012 at 12:34:52PM +0200, Alex Band <alexb@ripe.net> wrote a message of 41 lines which said:
In reality, since the RIRs launched an RPKI production service on 1 Jan 2011, adoption has been incredibly good (for example compared to IPv6 and DNSSEC). More than 1500 ISPs and large organizations world-wide have opted-in to the system and requested a resource certificate using the hosted service, or running an open source package with their own CA.
I have an experience with the deployment of DNSSEC and the problem with DNSSEC was not to have signed zones (many are, now) but to have people *using* these signatures to check the data (i.e. validating in a resolver). RPKI has many ROA (signed objects) but how many operators validate routes on their production routers? Zero?
But it's not just that, these ISPs didn't just blindly get certificate and walk away.
Most of the ROAs are very recent. Again, the experience with DNSSEC shows that starting is easy ("DNSSEC in siw minutes"). It's long term management which is *the* problem. Wait until people start to change the routing data and watch the ROAs becoming less and less correct...
Data quality is really good.
It's not what you said: "It is safe to say that overall data quality is pretty bad" <https://labs.ripe.net/Members/AlexBand/resource-certification-rpki-in-the-real-world> (good paper, by the way, thanks)
On 28 Apr 2012, at 14:57, Stephane Bortzmeyer wrote:
On Sat, Apr 28, 2012 at 12:34:52PM +0200, Alex Band <alexb@ripe.net> wrote a message of 41 lines which said:
In reality, since the RIRs launched an RPKI production service on 1 Jan 2011, adoption has been incredibly good (for example compared to IPv6 and DNSSEC). More than 1500 ISPs and large organizations world-wide have opted-in to the system and requested a resource certificate using the hosted service, or running an open source package with their own CA.
I have an experience with the deployment of DNSSEC and the problem with DNSSEC was not to have signed zones (many are, now) but to have people *using* these signatures to check the data (i.e. validating in a resolver).
RPKI has many ROA (signed objects) but how many operators validate routes on their production routers? Zero?
First you need a robust system and reliable data. Native router support is coming along. We could be getting to a stage where people will use the data in production. Time will tell...
But it's not just that, these ISPs didn't just blindly get certificate and walk away.
Most of the ROAs are very recent. Again, the experience with DNSSEC shows that starting is easy ("DNSSEC in siw minutes"). It's long term management which is *the* problem. Wait until people start to change the routing data and watch the ROAs becoming less and less correct...
Data quality is really good.
It's not what you said:
"It is safe to say that overall data quality is pretty bad" <https://labs.ripe.net/Members/AlexBand/resource-certification-rpki-in-the-real-world> (good paper, by the way, thanks)
A lot has changed since I wrote that. :) -Alex
participants (2)
-
Alex Band
-
Stephane Bortzmeyer