[134506] in North American Network Operators' Group
ARIN resource certification service update
daemon@ATHENA.MIT.EDU (John Curran)
Thu Jan 6 11:19:41 2011
From: John Curran <jcurran@arin.net>
To: Randy Bush <randy@psg.com>
Date: Thu, 6 Jan 2011 16:17:51 +0000
In-Reply-To: <m2vd23ugkw.wl%randy@psg.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 5, 2011, at 5:32 PM, Randy Bush wrote:
>> 1) If ARIN doesn't provide the level of authentication you desire, as
>> an ARIN member you should send a note to ppml each day until it's
>> available
>=20
> this is not address policy. this is ops. surely one does not have to
> dirty one's self with the ppml list to get an ops fix done in arin. it
> is not address policy.
>=20
> i have a rumor that arin is delaying and possibly not doing rpki that
> seems to have been announced on the ppml list (to which i do not
> subscribe). as it has impact on routing, not address policy, across
> north america and, in fact the globe, one would think it would be
> announced and discussed a bit more openly and widely.
Randy -=20
Excellent point; my apologies for not realizing this sooner and
posting some information directly for consideration by the NANOG=20
community.
Attached is a message from the arin-discuss mailing list which=20
has some more context; please feel free to discuss this on the=20
arin-discuss mailing list or here on NANOG (as appropriate)
Thanks!
/John
Begin forwarded message:
> From: John Curran <jcurran@arin.net>
> Date: January 6, 2011 11:08:39 AM EST
> To: "George, Wes E [NTK]" <Wesley.E.George@sprint.com>
> Cc: "arin-discuss@arin.net" <arin-discuss@arin.net>
> Subject: Re: [arin-discuss] Important Update Regarding Resource Certifica=
tion
>=20
> On Jan 6, 2011, at 9:32 AM, George, Wes E [NTK] wrote:
>=20
>> There have been some threads about this on NANOG in the last few days. C=
an
>> we get a bit clearer explanation of what the specific security concerns =
are
>> and why they are delaying things? It may also make sense for someone fro=
m
>> ARIN to post to NANOG with an explanation as well. If there are security
>> concerns, it is something that the community should be aware of in case
>> other RIRs or the SIDR WG need to be considering those issues as well.
>>=20
>> Thanks,=20
>> Wes George
>=20
> George -=20
>=20
> The security concerns are not specificly related to the RPKI
> protocol, but inherent implications of any service that might=20
> be heavily relied upon for real-time network operations, i.e.
> I don't think it's a SIDR WG matter, but simply part of the
> due diligence associated with the service as noted below.
>=20
> While the RIRs presently provide services which are used to=20
> support operations (such as WHOIS and Reverse DNS services),
> failure of RIR resource certification services could have=20
> some very significant consequences, particularly in the case
> of incorrect data as opposed to simply unavailable data. =20
> There are some potential liability implications of operating=20
> such a service that ARIN is presently reviewing in depth. I=20
> need to also note that these issues exist even in the case of=20
> a perfectly secure and operational service, in that an error
> by an ISP using ARIN's services (e.g. having entered the wrong=20
> AS number into a ROA for a major customer) could result in=20
> ARIN needing to readily "prove" the integrity of its resource=20
> certification system as well as fidelity of performance against=20
> the operators request.
>=20
> This has led ARIN to consider some aspects of its resource=20
> certification design, specifically to mitigate potential risks
> in the areas of non-repudiation and multi-party controls. Even
> so, the ultimate decision in these matters lies with the ARIN=20
> Board, as there is always going to be residual risk associated
> with any operations-related service provided by ARIN (note also
> that we have also discussed these issues with the other RIRs,=20
> but as they don't operate in ARIN's highly-litigous region, it =20
> is not necessarily a similar priority for their consideration)
>=20
> To the extent that ARIN offering resource certification services=20
> is important to your plans, it would good to express such needs
> on the arin-discuss mailing list. This helps us gauge the demand
> which obviously is another important factor to be considered in
> making the final determination on offering these services.
>=20
> We intend to have more detailed information out later this month
> once the plans for finalized, but I hope the above information
> provides some insight into the process at this point. I will=20
> post this to the NANOG list for the community's information.
>=20
> Thanks!
> /John
>=20
> John Curran
> President and CEO
> ARIN
>=20
> p.s. I'm presently on a Caribbean cruise ship on a bona fide=20
> family vacation, so please recognize that replies may=20
> be deferred to off hours so that my laptop isn't thrown=20
> overboard... ;-)
