[135854] in North American Network Operators' Group
Re: [arin-announce] ARIN Resource Certification Update
daemon@ATHENA.MIT.EDU (Carlos Martinez-Cagnazzo)
Sun Jan 30 09:12:45 2011
In-Reply-To: <60020FA8-364E-4F19-951A-95D971FDDD76@delong.com>
Date: Sun, 30 Jan 2011 12:11:50 -0200
From: Carlos Martinez-Cagnazzo <carlosm3011@gmail.com>
To: Arturo Servin <aservin@lacnic.net>,
"nanog@nanog.org list" <nanog@nanog.org>
Reply-To: carlos@lacnic.net
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Do you really think that a set of keys stored in a random PC in a
random office is safer than on a periodically backed-up, encrypted
database? In this future I only see lost keys, keys appearing listed
in something.ru domains, tons of support calls to hostmasters, and
ROAs repeatedly becoming invalid, all things that will seriously harm
RPKI adoption.
In the end, I see two things:
- Hosted solutions aren=B4t supposed to fit everyone, that=B4s why
top-down is being developed. This is not news.
- Hosted solutions offer a low barrier entry to smaller organizations
who simply cannot develop their own PKI infrastructure. This is the
case where they also lack the organizational skills to properly manage
the keys themselves, so, in most cases at least, they are *better off*
with a hosted solution
For RPKI to succeed we have to succeed not only on the technical side
but on the *human* side of things. Adoption of RPKI will only move
forward if network admins have *confidence* in the stability,
dependability and overall quality of the whole system. ROAs repeatedly
becoming invalid for the wrong reasons will represent a death blow to
RPKI adoption.
For RIPE, their hosted solution is clearly meeting expectations within
their region. Other region=B4s mileage may vary. I hope we (LACNIC) can
do just as well.
Have a great day!
Carlos
On Sat, Jan 29, 2011 at 11:52 PM, Owen DeLong <owen@delong.com> wrote:
> I don't understand why you can't have a hosted solution where the private=
keys
> are not held by the host.
>
> Seems to me you should be able to use a Java Applet to do the private key
> generation and store the private key on the end-user's machine, passing
> objects that need to be signed by the end user down to the applet for
> signing.
>
> This could be just as low-entry for the user, but, without the host holdi=
ng
> the private keys.
>
> What am I missing?
>
> Owen
>
> On Jan 29, 2011, at 1:06 PM, Arturo Servin wrote:
>
>>
>> =A0 =A0 =A0 I agree with Alex that without a hosted solution RIPE NCC wo=
uldn't have so many ROAs today, for us, even with it, it has been more diff=
icult to roll out RPKI among our ISPs. As many, I do not think that a hoste=
d suits to everybody and it has some disadvantages but at leas it could hel=
p to lower the entry barrier for some.
>>
>>
>> =A0 =A0 =A0 Speaking about RPKI stats, here some ROA evolution in variou=
s TAs (the data from ARIN is from their beta test, the rest are production =
systems):
>>
>> http://www.labs.lacnic.net/~rpki/rpki-evolution-report_EN.txt
>>
>> =A0 =A0 =A0 And visually:
>>
>> http://www.labs.lacnic.net/~rpki/rpki-heatmaps/latest/global-roa-heatmap=
.png
>>
>> =A0 =A0 =A0 and
>>
>> http://www.labs.lacnic.net/~rpki/rpki-heatmaps/latest/
>>
>> =A0 =A0 =A0 To see each region.
>>
>> http://www.labs.lacnic.net/~rpki/rpki-heatmaps
>>
>> =A0 =A0 =A0 Also, bgpmon has a nice whois interface for humans to see RO=
As (not sure if this link was share here or in twitter, sorry if I am dupli=
cating):
>>
>> http://bgpmon.net/blog/?p=3D414
>>
>>
>> Best regards,
>> -as
>>
>>
>>
>> On 29 Jan 2011, at 13:26, Alex Band wrote:
>>
>>> John,
>>>
>>> Thanks for the update. With regards to offering a hosted solution, as y=
ou know that is the only thing the RIPE NCC currently offers. We're develop=
ing support for the up/down protocol as I write this.
>>>
>>> To give you some perspective, one month after launching the hosted RIPE=
NCC Resource Certification service, 216 LIRs are using it in the RIPE Regi=
on and created 169 ROAs covering 467 prefixes. This means 40151 /24 IPv4 pr=
efixes and 7274499 /48 IPv6 prefixes now have a valid ROA associated with t=
hem.
>>>
>>> I realize a hosted solution is not ideal, we're very open about that. B=
ut at least in our region, it seems there are quite a number of organizatio=
ns who understand and accept the security trade-off of not being the owner =
of the private key for their resource certificate and trust their RIR to ru=
n a properly secured and audited service. So the question is, if the RIPE N=
CC would have required everyone to run their own certification setup using =
the open source tool-sets Randy mentions, would there be this much certifie=
d address space now?
>>>
>>> Looking at the depletion of IPv4 address space, it's going to be crucia=
lly important to have validatable proof who is the legitimate holder of Int=
ernet resources. I fear that by not offering a hosted certification solutio=
n, real world adoption rates will rival those of IPv6 and DNSSEC. Can the I=
nternet community afford that?
>>>
>>> Alex Band
>>> Product Manager, RIPE NCC
>>>
>>> P.S. For those interested in which prefixes and ASs are in the RIPE NCC=
ROA Repository, here is the latest output in CSV format:
>>> http://lunimon.com/valid-roas-20110129.csv
>>>
>>>
>>>
>>> On 24 Jan 2011, at 21:33, John Curran wrote:
>>>
>>>> Copy to NANOG for those who aren't on ARIN lists but may be interested=
in this info.
>>>> FYI.
>>>> /John
>>>>
>>>> Begin forwarded message:
>>>>
>>>> From: John Curran <jcurran@arin.net<mailto:jcurran@arin.net>>
>>>> Date: January 24, 2011 2:58:52 PM EST
>>>> To: "arin-announce@arin.net<mailto:arin-announce@arin.net>" <arin-anno=
unce@arin.net<mailto:arin-announce@arin.net>>
>>>> Subject: [arin-announce] ARIN Resource Certification Update
>>>>
>>>> ARIN continues its preparations for offering production-grade resource=
certification
>>>> services for Internet number resources in the region. =A0ARIN recogniz=
es the importance
>>>> of Internet number resource certification in the region as a key eleme=
nt of further
>>>> securing Internet routing, and plans to rollout Resource Public Key In=
frastructure (RPKI)
>>>> at the end of the second quarter of 2011 with support for the Up/Down =
protocol for those
>>>> ISPs who wish to certify their subdelegations via their own RPKI infra=
structure.
>>>>
>>>> ARIN continues to evaluate offering a Hosting Resource Certification s=
ervice for this
>>>> purpose (as an alternative to organizations having to run their own RP=
KI infrastructure),
>>>> but at this time it remains under active consideration and is not comm=
itted. =A0 We look
>>>> forward to discussing the need for this type of service and the organi=
zation implications
>>>> atour upcoming ARIN Members Meeting in April in San Juan, PR.
>>>>
>>>> FYI,
>>>> /John
>>>>
>>>> John Curran
>>>> President and CEO
>>>> ARIN
>>>>
>>>> _______________________________________________
>>>> ARIN-Announce
>>>> You are receiving this message because you are subscribed to
>>>> the ARIN Announce Mailing List (ARIN-announce@arin.net<mailto:ARIN-ann=
ounce@arin.net>).
>>>> Unsubscribe or manage your mailing list subscription at:
>>>> http://lists.arin.net/mailman/listinfo/arin-announce
>>>> Please contact info@arin.net if you experience any issues.
>>>>
>>>>
>>>
>
>
>
--=20
--
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Carlos M. Martinez-Cagnazzo
http://www.labs.lacnic.net
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
