question about Mark Koster's ARIN presentation
This message is sent to the whole nanog list, rather than the nanog-attendees list, as I'm not sure who would be watching that list when the conference is over. I stood up to ask a question at the end of Mark Koster's presentation yesterday, but before I got to the end of the table, he was being applauded and leaving the stage. I must be too short. The presentation said that ARIN would be doing a lot of work to improve the IRR. The last I asked, the ARIN IRR did not support the RPSS (Routing Policy System Security - RFC2725). RIPE supports this, I know. Will the ARIN improvements include support for RPSS? The presentation talked about the RPKI pilot, and Mark said that ARIN would be using the RIPE code. I believe RIPE has or had a couple different attempts at this, so I'm not sure what features the code you use will have. Will you have the ability to hand certs to ISPs so that they can do their own cert generation for the allocations they hand to their own customers? I.e., is ARIN going to run a service just for its members, or will it enable its members to participate in the RPKI themselves? --Sandy
Le jeudi 18 juin 2009 à 12:05 -0400, Sandy Murphy a écrit :
This message is sent to the whole nanog list, rather than the nanog-attendees list,
How come there is a nanog-attendees list disjunct from the nanog list. Wouldn't it be natural to broadcast any kind of content to the entire community? Cheers, mh
as I'm not sure who would be watching that list when the conference is over.
I stood up to ask a question at the end of Mark Koster's presentation yesterday, but before I got to the end of the table, he was being applauded and leaving the stage. I must be too short.
The presentation said that ARIN would be doing a lot of work to improve the IRR. The last I asked, the ARIN IRR did not support the RPSS (Routing Policy System Security - RFC2725). RIPE supports this, I know. Will the ARIN improvements include support for RPSS?
Interesting, yes.
The presentation talked about the RPKI pilot, and Mark said that ARIN would be using the RIPE code. I believe RIPE has or had a couple different attempts at this, so I'm not sure what features the code you use will have. Will you have the ability to hand certs to ISPs so that they can do their own cert generation for the allocations they hand to their own customers? I.e., is ARIN going to run a service just for its members, or will it enable its members to participate in the RPKI themselves?
As well.
--Sandy
mh -- michael hallgren, mh2198-ripe
On Thu, 18 Jun 2009 21:35:53 +0200, Michael Hallgren said:
How come there is a nanog-attendees list disjunct from the nanog list. Wouldn't it be natural to broadcast any kind of content to the entire community?
Umm... "Presentation XYZ has been moved from the Blue Room to the Paisley Room" and similar administrivia of interest only to actual attendees?
Le jeudi 18 juin 2009 à 15:49 -0400, Valdis.Kletnieks@vt.edu a écrit :
On Thu, 18 Jun 2009 21:35:53 +0200, Michael Hallgren said:
How come there is a nanog-attendees list disjunct from the nanog list. Wouldn't it be natural to broadcast any kind of content to the entire community?
Umm... "Presentation XYZ has been moved from the Blue Room to the Paisley Room" and similar administrivia of interest only to actual attendees?
OK. More info's good thing, better than less info... And we all know how to read and filter mail. Right? :) No harm, TTYS, mh -- michael hallgren, mh2198-ripe
On Jun 18, 2009, at 12:35 PM, Michael Hallgren wrote:
Le jeudi 18 juin 2009 à 12:05 -0400, Sandy Murphy a écrit :
This message is sent to the whole nanog list, rather than the nanog-attendees list,
How come there is a nanog-attendees list disjunct from the nanog list. Wouldn't it be natural to broadcast any kind of content to the entire community?
nanog-attendees is intended to be used for social and specific conference related topics. Topics discussed at the conference with operational relevance should be here on the main list. If anyone feels the need to follow up on the nanog-attendees/nanog distinction, please do so on nanog-futures. Thanks! Kris MLC Chair
Le jeudi 18 juin 2009 à 12:51 -0700, kris foster a écrit :
On Jun 18, 2009, at 12:35 PM, Michael Hallgren wrote:
Le jeudi 18 juin 2009 à 12:05 -0400, Sandy Murphy a écrit :
This message is sent to the whole nanog list, rather than the nanog-attendees list,
How come there is a nanog-attendees list disjunct from the nanog list. Wouldn't it be natural to broadcast any kind of content to the entire community?
nanog-attendees is intended to be used for social and specific conference related topics. Topics discussed at the conference with operational relevance should be here on the main list.
If anyone feels the need to follow up on the nanog-attendees/nanog distinction, please do so on nanog-futures.
Thanks!
Kris MLC Chair
Thanks MLC Chair, so will be. mh -- michael hallgren, mh2198-ripe
Michael Hallgren wrote:
Le jeudi 18 juin 2009 à 12:05 -0400, Sandy Murphy a écrit :
This message is sent to the whole nanog list, rather than the nanog-attendees list,
How come there is a nanog-attendees list disjunct from the nanog list. Wouldn't it be natural to broadcast any kind of content to the entire community?
Before we had a nanog-attendees list, the nanog list would be bombarded with posts that were of no interest to people who weren't actually at the conference, such as issues with the conference wifi, issues with schedule conflicts, chatter about outside events in the host city, etc. It makes perfect sense to have a nanog-attendees list to keep those discussions off the main nanog list. I believe you can join the nanog attendees list without actually attending a nanog conference, if you want to get everything-nanog in your inbox. jc
Hi Sandy On Thu, Jun 18, 2009 at 12:05:20PM -0400, Sandy Murphy wrote:
The presentation said that ARIN would be doing a lot of work to improve the IRR. The last I asked, the ARIN IRR did not support the RPSS (Routing Policy System Security - RFC2725). RIPE supports this, I know. Will the ARIN improvements include support for RPSS?
The current effort will only allow for ipv6 objects (route6/inet6num). Further enhancements to ARIN's IRR will be coupled together with improvements to ARIN Online that will be announced in the future.
The presentation talked about the RPKI pilot, and Mark said that ARIN would be using the RIPE code. I believe RIPE has or had a couple different attempts at this, so I'm not sure what features the code you use will have. Will you have the ability to hand certs to ISPs so that they can do their own cert generation for the allocations they hand to their own customers? I.e., is ARIN going to run a service just for its members, or will it enable its members to participate in the RPKI themselves?
We are using the same code that RIPE is using at http://certtest.ripe.net. RIPE has been very kind to allow us to use their code. As for ARIN, this is a pilot and is certainly not a final fixed-feature set. The first go of this is the "hosted" solution where an ISP can come into ARIN's pilot and create ROAs based off of allocations that they have received from ARIN. All the ROAs will be placed into a rsync repository that can be retrieved and validated. Specifically, here are the features that are a part of the system: * Enables ARIN resource holders to request certificates for their IPv4 and IPv6 Provider Aggregatable (PA) resources * Enables ARIN resource holders to manage Route Origin Authorizations (ROAs) for their PA address space * Provides a public repository of certificates and ROAs * Handles key rollovers and revocations Thanks, Mark
The current effort will only allow for ipv6 objects (route6/inet6num).
s/allow for/add support for/ i hope
We are using the same code that RIPE is using at http://certtest.ripe.net. RIPE has been very kind to allow us to use their code. As for ARIN, this is a pilot and is certainly not a final fixed-feature set. The first go of this is the "hosted" solution where an ISP can come into ARIN's pilot and create ROAs based off of allocations that they have received from ARIN.
All the ROAs will be placed into a rsync repository that can be retrieved and validated. Specifically, here are the features that are a part of the system:
* Enables ARIN resource holders to request certificates for their IPv4 and IPv6 Provider Aggregatable (PA) resources * Enables ARIN resource holders to manage Route Origin Authorizations (ROAs) for their PA address space * Provides a public repository of certificates and ROAs * Handles key rollovers and revocations
the simple version of the question: who holds my private key(s)? the longer version: does this implement my having my own subsidiary CA with it communiciating with ARIN's and RIPE's ... using the protocols of the ietf sidr work? randy
We are using the same code that RIPE is using at http://certtest.ripe.net. RIPE has been very kind to allow us to use their code. As for ARIN, this is a pilot and is certainly not a final fixed-feature set. The first go of this is the "hosted" solution where an ISP can come into ARIN's pilot and create ROAs based off of allocations that they have received from ARIN.
All the ROAs will be placed into a rsync repository that can be retrieved and validated. Specifically, here are the features that are a part of the system:
* Enables ARIN resource holders to request certificates for their IPv4 and IPv6 Provider Aggregatable (PA) resources * Enables ARIN resource holders to manage Route Origin Authorizations (ROAs) for their PA address space * Provides a public repository of certificates and ROAs * Handles key rollovers and revocations
the simple version of the question: who holds my private key(s)?
i guess the answer is ARIN does. not very private are they.
the longer version: does this implement my having my own subsidiary CA with it communiciating with ARIN's and RIPE's ... using the protocols of the ietf sidr work?
i guess not. so how do i, a transit provider arin member, get certs and roas for my downstream multi-homed customers? randy
participants (7)
-
JC Dill -
kris foster -
Mark Kosters -
Michael Hallgren -
Randy Bush -
sandy@tislabs.com -
Valdis.Kletnieks@vt.edu