[152405] in North American Network Operators' Group
Re: rpki vs. secure dns?
daemon@ATHENA.MIT.EDU (Alex Band)
Sat Apr 28 06:35:31 2012
From: Alex Band <alexb@ripe.net>
In-Reply-To: <87ipgk2n8c.fsf@mid.deneb.enyo.de>
Date: Sat, 28 Apr 2012 12:34:52 +0200
To: Florian Weimer <fw@deneb.enyo.de>, "nanog@nanog.org list" <nanog@nanog.org>
Cc: Paul Vixie <vixie@isc.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 28 Apr 2012, at 11:56, Florian Weimer wrote:
> * Paul Vixie:
>=20
>> this seems late, compared to the various commitments made to rpki in
>> recent years. is anybody taking it seriously?
>=20
> The idea as such isn't new, this has been floating around for four
> years or more, including at least one Internet draft,
> draft-donnerhacke-sidr-bgp-verification-dnssec.
>=20
> I don't know if we can get RPKI to deployment because RIPE and RIPE
> NCC have rather serious issues with it. On the other hand, there
> doesn't seem to be anything else which keeps RIRs relevant in the
> post-scarcity world, so we'll see what happens.
Could you elaborate on what those issues are?=20
I can't speak for ROVER, but judging from Gersh's talk at RIPE64 and the =
discussion afterwards, it looks like it's just an old idea that was =
brought to the table again, with a few early adopters experimenting.=20
In the linked article Gersh says that RPKI is complex and deployment has =
been slow. In reality, since the RIRs launched an RPKI production =
service on 1 Jan 2011, adoption has been incredibly good (for example =
compared to IPv6 and DNSSEC). More than 1500 ISPs and large =
organizations world-wide have opted-in to the system and requested a =
resource certificate using the hosted service, or running an open source =
package with their own CA.=20
But it's not just that, these ISPs didn't just blindly get certificate =
and walk away. There are over 800 ROAs in the global system, describing =
more than 2000 prefixes ranging from /24s to /10s, totaling to almost 80 =
million IPv4 addresses worth of BGP announcements. Data quality is =
really good. All in all, RPKI has really good traction and with native =
router support in Cisco, Juniper and Quagga, this is only getting =
better.=20
Global deployment statistics can be found here: =
http://certification-stats.ripe.net/=
