[135831] in North American Network Operators' Group
Re: [arin-announce] ARIN Resource Certification Update
daemon@ATHENA.MIT.EDU (Arturo Servin)
Sat Jan 29 16:07:24 2011
From: Arturo Servin <aservin@lacnic.net>
Date: Sat, 29 Jan 2011 19:06:17 -0200
In-Reply-To: <FDFF6713-AB2E-4447-A58B-52CD36A6113A@ripe.net>
To: "nanog@nanog.org list" <nanog@nanog.org>
X-LACNIC.uy-MailScanner-From: aservin@lacnic.net
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I agree with Alex that without a hosted solution RIPE NCC =
wouldn't have so many ROAs today, for us, even with it, it has been more =
difficult to roll out RPKI among our ISPs. As many, I do not think that =
a hosted suits to everybody and it has some disadvantages but at leas it =
could help to lower the entry barrier for some.
Speaking about RPKI stats, here some ROA evolution in various =
TAs (the data from ARIN is from their beta test, the rest are production =
systems):
http://www.labs.lacnic.net/~rpki/rpki-evolution-report_EN.txt
And visually:
=
http://www.labs.lacnic.net/~rpki/rpki-heatmaps/latest/global-roa-heatmap.p=
ng
and
http://www.labs.lacnic.net/~rpki/rpki-heatmaps/latest/
To see each region.
http://www.labs.lacnic.net/~rpki/rpki-heatmaps
Also, bgpmon has a nice whois interface for humans to see ROAs =
(not sure if this link was share here or in twitter, sorry if I am =
duplicating):
http://bgpmon.net/blog/?p=3D414
Best regards,
-as
=09
On 29 Jan 2011, at 13:26, Alex Band wrote:
> John,
>=20
> Thanks for the update. With regards to offering a hosted solution, as =
you know that is the only thing the RIPE NCC currently offers. We're =
developing support for the up/down protocol as I write this.
>=20
> To give you some perspective, one month after launching the hosted =
RIPE NCC Resource Certification service, 216 LIRs are using it in the =
RIPE Region and created 169 ROAs covering 467 prefixes. This means 40151 =
/24 IPv4 prefixes and 7274499 /48 IPv6 prefixes now have a valid ROA =
associated with them.
>=20
> I realize a hosted solution is not ideal, we're very open about that. =
But at least in our region, it seems there are quite a number of =
organizations who understand and accept the security trade-off of not =
being the owner of the private key for their resource certificate and =
trust their RIR to run a properly secured and audited service. So the =
question is, if the RIPE NCC would have required everyone to run their =
own certification setup using the open source tool-sets Randy mentions, =
would there be this much certified address space now?=20
>=20
> Looking at the depletion of IPv4 address space, it's going to be =
crucially important to have validatable proof who is the legitimate =
holder of Internet resources. I fear that by not offering a hosted =
certification solution, real world adoption rates will rival those of =
IPv6 and DNSSEC. Can the Internet community afford that?
>=20
> Alex Band
> Product Manager, RIPE NCC
>=20
> P.S. For those interested in which prefixes and ASs are in the RIPE =
NCC ROA Repository, here is the latest output in CSV format:
> http://lunimon.com/valid-roas-20110129.csv
>=20
>=20
>=20
> On 24 Jan 2011, at 21:33, John Curran wrote:
>=20
>> Copy to NANOG for those who aren't on ARIN lists but may be =
interested in this info.
>> FYI.
>> /John
>>=20
>> Begin forwarded message:
>>=20
>> From: John Curran <jcurran@arin.net<mailto:jcurran@arin.net>>
>> Date: January 24, 2011 2:58:52 PM EST
>> To: "arin-announce@arin.net<mailto:arin-announce@arin.net>" =
<arin-announce@arin.net<mailto:arin-announce@arin.net>>
>> Subject: [arin-announce] ARIN Resource Certification Update
>>=20
>> ARIN continues its preparations for offering production-grade =
resource certification
>> services for Internet number resources in the region. ARIN =
recognizes the importance
>> of Internet number resource certification in the region as a key =
element of further
>> securing Internet routing, and plans to rollout Resource Public Key =
Infrastructure (RPKI)
>> at the end of the second quarter of 2011 with support for the Up/Down =
protocol for those
>> ISPs who wish to certify their subdelegations via their own RPKI =
infrastructure.
>>=20
>> ARIN continues to evaluate offering a Hosting Resource Certification =
service for this
>> purpose (as an alternative to organizations having to run their own =
RPKI infrastructure),
>> but at this time it remains under active consideration and is not =
committed. We look
>> forward to discussing the need for this type of service and the =
organization implications
>> atour upcoming ARIN Members Meeting in April in San Juan, PR.
>>=20
>> FYI,
>> /John
>>=20
>> John Curran
>> President and CEO
>> ARIN
>>=20
>> _______________________________________________
>> ARIN-Announce
>> You are receiving this message because you are subscribed to
>> the ARIN Announce Mailing List =
(ARIN-announce@arin.net<mailto:ARIN-announce@arin.net>).
>> Unsubscribe or manage your mailing list subscription at:
>> http://lists.arin.net/mailman/listinfo/arin-announce
>> Please contact info@arin.net if you experience any issues.
>>=20
>>=20
>=20
