[135816] in North American Network Operators' Group
Re: [arin-announce] ARIN Resource Certification Update
daemon@ATHENA.MIT.EDU (Alex Band)
Sat Jan 29 10:28:00 2011
From: Alex Band <alexb@ripe.net>
In-Reply-To: <0BC31466-09EA-4734-96B2-152453A62B90@arin.net>
Date: Sat, 29 Jan 2011 16:26:55 +0100
To: John Curran <jcurran@arin.net>
Cc: "nanog@nanog.org list" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--Apple-Mail-85-180036158
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
John,
Thanks for the update. With regards to offering a hosted solution, as =
you know that is the only thing the RIPE NCC currently offers. We're =
developing support for the up/down protocol as I write this.
To give you some perspective, one month after launching the hosted RIPE =
NCC Resource Certification service, 216 LIRs are using it in the RIPE =
Region and created 169 ROAs covering 467 prefixes. This means 40151 /24 =
IPv4 prefixes and 7274499 /48 IPv6 prefixes now have a valid ROA =
associated with them.
I realize a hosted solution is not ideal, we're very open about that. =
But at least in our region, it seems there are quite a number of =
organizations who understand and accept the security trade-off of not =
being the owner of the private key for their resource certificate and =
trust their RIR to run a properly secured and audited service. So the =
question is, if the RIPE NCC would have required everyone to run their =
own certification setup using the open source tool-sets Randy mentions, =
would there be this much certified address space now?=20
Looking at the depletion of IPv4 address space, it's going to be =
crucially important to have validatable proof who is the legitimate =
holder of Internet resources. I fear that by not offering a hosted =
certification solution, real world adoption rates will rival those of =
IPv6 and DNSSEC. Can the Internet community afford that?
Alex Band
Product Manager, RIPE NCC
P.S. For those interested in which prefixes and ASs are in the RIPE NCC =
ROA Repository, here is the latest output in CSV format:
http://lunimon.com/valid-roas-20110129.csv
On 24 Jan 2011, at 21:33, John Curran wrote:
> Copy to NANOG for those who aren't on ARIN lists but may be interested =
in this info.
> FYI.
> /John
>=20
> Begin forwarded message:
>=20
> From: John Curran <jcurran@arin.net<mailto:jcurran@arin.net>>
> Date: January 24, 2011 2:58:52 PM EST
> To: "arin-announce@arin.net<mailto:arin-announce@arin.net>" =
<arin-announce@arin.net<mailto:arin-announce@arin.net>>
> Subject: [arin-announce] ARIN Resource Certification Update
>=20
> ARIN continues its preparations for offering production-grade resource =
certification
> services for Internet number resources in the region. ARIN recognizes =
the importance
> of Internet number resource certification in the region as a key =
element of further
> securing Internet routing, and plans to rollout Resource Public Key =
Infrastructure (RPKI)
> at the end of the second quarter of 2011 with support for the Up/Down =
protocol for those
> ISPs who wish to certify their subdelegations via their own RPKI =
infrastructure.
>=20
> ARIN continues to evaluate offering a Hosting Resource Certification =
service for this
> purpose (as an alternative to organizations having to run their own =
RPKI infrastructure),
> but at this time it remains under active consideration and is not =
committed. We look
> forward to discussing the need for this type of service and the =
organization implications
> atour upcoming ARIN Members Meeting in April in San Juan, PR.
>=20
> FYI,
> /John
>=20
> John Curran
> President and CEO
> ARIN
>=20
> _______________________________________________
> ARIN-Announce
> You are receiving this message because you are subscribed to
> the ARIN Announce Mailing List =
(ARIN-announce@arin.net<mailto:ARIN-announce@arin.net>).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-announce
> Please contact info@arin.net if you experience any issues.
>=20
>=20
--Apple-Mail-85-180036158
Content-Disposition: attachment;
filename=smime.p7s
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIDrDCCA6gw
ggMRoAMCAQICAgFiMA0GCSqGSIb3DQEBBAUAMIGFMQswCQYDVQQGEwJOTDEWMBQGA1UECBMNTm9v
cmQtSG9sbGFuZDESMBAGA1UEBxMJQW1zdGVyZGFtMREwDwYDVQQKEwhSSVBFIE5DQzEMMAoGA1UE
CxMDT1BTMQwwCgYDVQQDEwNDQTIxGzAZBgkqhkiG9w0BCQEWDG9wc0ByaXBlLm5ldDAeFw0xMTAx
MTIxMzUxMzZaFw0yMTAxMDkxMzUxMzZaMHgxCzAJBgNVBAYTAk5MMRYwFAYDVQQIEw1Ob29yZC1I
b2xsYW5kMREwDwYDVQQKEwhSSVBFIE5DQzELMAkGA1UECxMCVFMxEjAQBgNVBAMTCUFsZXggQmFu
ZDEdMBsGCSqGSIb3DQEJARYOYWxleGJAcmlwZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBALC2BQ1PfI/Mbg3yW4hPvFDMxkP+/uATU5b8QRM+dWcrYH7OW7LOFh5UE+oXhmCllp+9Umr8
06HHRC+LtokdHIqTv55GEGERDuQ1CH+67DbzUPisymKXlhOBUkDe5b+Nkm1E4nU40IoWj1r7opA4
iCV5jDY5K+W0E/pbVTyjiGZbAgMBAAGjggExMIIBLTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQf
Fh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUITctKaBZgfQAULQjw80a
JzbGJHIwgbIGA1UdIwSBqjCBp4AUviRV1EFXFxVsA8ildF9OwyDKY9ihgYukgYgwgYUxCzAJBgNV
BAYTAk5MMRYwFAYDVQQIEw1Ob29yZC1Ib2xsYW5kMRIwEAYDVQQHEwlBbXN0ZXJkYW0xETAPBgNV
BAoTCFJJUEUgTkNDMQwwCgYDVQQLEwNPUFMxDDAKBgNVBAMTA0NBMjEbMBkGCSqGSIb3DQEJARYM
b3BzQHJpcGUubmV0ggEAMB4GA1UdEQQXMBWCE2UzLTIuc2luZ3cucmlwZS5uZXQwDQYJKoZIhvcN
AQEEBQADgYEALLrocn+CoCp4UrtWJQ3i3bzbBfUcAczXK/A+hAq0c34yByLFd1HijR5HnLH/Cusx
UYlvA19wKaknJmNMD+euK48Q3oYHz1xNgUr3y0bvZxshAVc/ShnahPYdADblmqY4Ppv0UT57D0lf
YqBEE5arABTOyI/Bngsq3FBWQX5N36cxggLWMIIC0gIBATCBjDCBhTELMAkGA1UEBhMCTkwxFjAU
BgNVBAgTDU5vb3JkLUhvbGxhbmQxEjAQBgNVBAcTCUFtc3RlcmRhbTERMA8GA1UEChMIUklQRSBO
Q0MxDDAKBgNVBAsTA09QUzEMMAoGA1UEAxMDQ0EyMRswGQYJKoZIhvcNAQkBFgxvcHNAcmlwZS5u
ZXQCAgFiMAkGBSsOAwIaBQCgggGfMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcN
AQkFMQ8XDTExMDEyOTE1MjY1NlowIwYJKoZIhvcNAQkEMRYEFD1tOz4M+0H1NJ3dZOEEw5sZin1G
MIGdBgkrBgEEAYI3EAQxgY8wgYwwgYUxCzAJBgNVBAYTAk5MMRYwFAYDVQQIEw1Ob29yZC1Ib2xs
YW5kMRIwEAYDVQQHEwlBbXN0ZXJkYW0xETAPBgNVBAoTCFJJUEUgTkNDMQwwCgYDVQQLEwNPUFMx
DDAKBgNVBAMTA0NBMjEbMBkGCSqGSIb3DQEJARYMb3BzQHJpcGUubmV0AgIBYjCBnwYLKoZIhvcN
AQkQAgsxgY+ggYwwgYUxCzAJBgNVBAYTAk5MMRYwFAYDVQQIEw1Ob29yZC1Ib2xsYW5kMRIwEAYD
VQQHEwlBbXN0ZXJkYW0xETAPBgNVBAoTCFJJUEUgTkNDMQwwCgYDVQQLEwNPUFMxDDAKBgNVBAMT
A0NBMjEbMBkGCSqGSIb3DQEJARYMb3BzQHJpcGUubmV0AgIBYjANBgkqhkiG9w0BAQEFAASBgGjc
Stua91CCfSnuRa2ic8pcMOtX8KMNZDhkM7TQq9QwrfZC6eFaP/qztoufLp00waZYDjKBiyJanCIP
bNpNsdm+mPoaUShiUIW2HOKh7oizwDeeOEj8mOeyYJavRKRL0AZHN1TQ6divPesrtpxPGbnj+4v/
44eUxJTjCnPIuPcvAAAAAAAA
--Apple-Mail-85-180036158--
