[135838] in North American Network Operators' Group
Re: [arin-announce] ARIN Resource Certification Update
daemon@ATHENA.MIT.EDU (Owen DeLong)
Sat Jan 29 20:55:58 2011
From: Owen DeLong <owen@delong.com>
In-Reply-To: <F4820171-5F43-480C-B0BA-2BB9D473C75D@lacnic.net>
Date: Sat, 29 Jan 2011 17:52:57 -0800
To: Arturo Servin <aservin@lacnic.net>
Cc: "nanog@nanog.org list" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I don't understand why you can't have a hosted solution where the =
private keys
are not held by the host.
Seems to me you should be able to use a Java Applet to do the private =
key
generation and store the private key on the end-user's machine, passing
objects that need to be signed by the end user down to the applet for
signing.
This could be just as low-entry for the user, but, without the host =
holding
the private keys.
What am I missing?
Owen
On Jan 29, 2011, at 1:06 PM, Arturo Servin wrote:
>=20
> I agree with Alex that without a hosted solution RIPE NCC =
wouldn't have so many ROAs today, for us, even with it, it has been more =
difficult to roll out RPKI among our ISPs. As many, I do not think that =
a hosted suits to everybody and it has some disadvantages but at leas it =
could help to lower the entry barrier for some.
>=20
>=20
> Speaking about RPKI stats, here some ROA evolution in various =
TAs (the data from ARIN is from their beta test, the rest are production =
systems):
>=20
> http://www.labs.lacnic.net/~rpki/rpki-evolution-report_EN.txt
>=20
> And visually:
>=20
> =
http://www.labs.lacnic.net/~rpki/rpki-heatmaps/latest/global-roa-heatmap.p=
ng
>=20
> and
>=20
> http://www.labs.lacnic.net/~rpki/rpki-heatmaps/latest/
>=20
> To see each region.
>=20
> http://www.labs.lacnic.net/~rpki/rpki-heatmaps
>=20
> Also, bgpmon has a nice whois interface for humans to see ROAs =
(not sure if this link was share here or in twitter, sorry if I am =
duplicating):
>=20
> http://bgpmon.net/blog/?p=3D414
>=20
>=20
> Best regards,
> -as
> =09
>=20
>=20
> On 29 Jan 2011, at 13:26, Alex Band wrote:
>=20
>> John,
>>=20
>> Thanks for the update. With regards to offering a hosted solution, as =
you know that is the only thing the RIPE NCC currently offers. We're =
developing support for the up/down protocol as I write this.
>>=20
>> To give you some perspective, one month after launching the hosted =
RIPE NCC Resource Certification service, 216 LIRs are using it in the =
RIPE Region and created 169 ROAs covering 467 prefixes. This means 40151 =
/24 IPv4 prefixes and 7274499 /48 IPv6 prefixes now have a valid ROA =
associated with them.
>>=20
>> I realize a hosted solution is not ideal, we're very open about that. =
But at least in our region, it seems there are quite a number of =
organizations who understand and accept the security trade-off of not =
being the owner of the private key for their resource certificate and =
trust their RIR to run a properly secured and audited service. So the =
question is, if the RIPE NCC would have required everyone to run their =
own certification setup using the open source tool-sets Randy mentions, =
would there be this much certified address space now?=20
>>=20
>> Looking at the depletion of IPv4 address space, it's going to be =
crucially important to have validatable proof who is the legitimate =
holder of Internet resources. I fear that by not offering a hosted =
certification solution, real world adoption rates will rival those of =
IPv6 and DNSSEC. Can the Internet community afford that?
>>=20
>> Alex Band
>> Product Manager, RIPE NCC
>>=20
>> P.S. For those interested in which prefixes and ASs are in the RIPE =
NCC ROA Repository, here is the latest output in CSV format:
>> http://lunimon.com/valid-roas-20110129.csv
>>=20
>>=20
>>=20
>> On 24 Jan 2011, at 21:33, John Curran wrote:
>>=20
>>> Copy to NANOG for those who aren't on ARIN lists but may be =
interested in this info.
>>> FYI.
>>> /John
>>>=20
>>> Begin forwarded message:
>>>=20
>>> From: John Curran <jcurran@arin.net<mailto:jcurran@arin.net>>
>>> Date: January 24, 2011 2:58:52 PM EST
>>> To: "arin-announce@arin.net<mailto:arin-announce@arin.net>" =
<arin-announce@arin.net<mailto:arin-announce@arin.net>>
>>> Subject: [arin-announce] ARIN Resource Certification Update
>>>=20
>>> ARIN continues its preparations for offering production-grade =
resource certification
>>> services for Internet number resources in the region. ARIN =
recognizes the importance
>>> of Internet number resource certification in the region as a key =
element of further
>>> securing Internet routing, and plans to rollout Resource Public Key =
Infrastructure (RPKI)
>>> at the end of the second quarter of 2011 with support for the =
Up/Down protocol for those
>>> ISPs who wish to certify their subdelegations via their own RPKI =
infrastructure.
>>>=20
>>> ARIN continues to evaluate offering a Hosting Resource Certification =
service for this
>>> purpose (as an alternative to organizations having to run their own =
RPKI infrastructure),
>>> but at this time it remains under active consideration and is not =
committed. We look
>>> forward to discussing the need for this type of service and the =
organization implications
>>> atour upcoming ARIN Members Meeting in April in San Juan, PR.
>>>=20
>>> FYI,
>>> /John
>>>=20
>>> John Curran
>>> President and CEO
>>> ARIN
>>>=20
>>> _______________________________________________
>>> ARIN-Announce
>>> You are receiving this message because you are subscribed to
>>> the ARIN Announce Mailing List =
(ARIN-announce@arin.net<mailto:ARIN-announce@arin.net>).
>>> Unsubscribe or manage your mailing list subscription at:
>>> http://lists.arin.net/mailman/listinfo/arin-announce
>>> Please contact info@arin.net if you experience any issues.
>>>=20
>>>=20
>>=20
