[152413] in North American Network Operators' Group
Re: rpki vs. secure dns?
daemon@ATHENA.MIT.EDU (Alex Band)
Sat Apr 28 09:05:26 2012
From: Alex Band <alexb@ripe.net>
In-Reply-To: <874ns42ioc.fsf@mid.deneb.enyo.de>
Date: Sat, 28 Apr 2012 15:04:51 +0200
To: Florian Weimer <fw@deneb.enyo.de>, "nanog@nanog.org list" <nanog@nanog.org>
Cc: Paul Vixie <vixie@isc.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--Apple-Mail=_E8957F66-3080-4D97-84FD-12E0C9451F30
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=windows-1252
At RIPE 63, six months ago, the RIPE NCC membership got a chance to vote =
on RPKI at the general meeting. The result was that the RIPE NCC has the =
green light to continue offering the Resource Certification service, =
including all BGP Origin Validation related functionality. It's correct =
that concerns were raised in the area of security, resilience and =
operator autonomy, as you mention. These concerns are continuously being =
evaluated and addressed. The response to the update that was given at =
RIPE 64 two weeks ago indicated that the membership and Community are =
happy with the approach the RIPE NCC is taking in this regard. Of course =
I realize that some people will never be convinced, no matter which =
steps are taken=85=20
Looking at the bigger picture though, we shouldn't forget that what =
RPKI, ROVER and the IRR facilitate is merely the ability make a =
*statement* about routing (with varying degrees of reliability) and =
doesn't have a direct impact on BGP routing itself. Ultimately, it is up =
to the network operator to interpret the data that is entered in the =
system, allow them to make an informed decision and take action they =
deem appropriate. Everyone has the ability to apply an override on data =
they do not trust, or have a specific local policy for. In the toolsets =
for using the RPKI data set for routing decisions, such as the RIPE NCC =
RPKI Validator, every possible step is taken is taken to ensure that the =
operator is in the driver's seat.=20
Have a look here for a public example: http://rpki.netsign.net:8080/
Or install and try it yourself: =
http://www.ripe.net/certification/tools-and-resources
Cheers,
Alex
On 28 Apr 2012, at 13:35, Florian Weimer wrote:
> * Alex Band:
>=20
>>> I don't know if we can get RPKI to deployment because RIPE and RIPE
>>> NCC have rather serious issues with it. On the other hand, there
>>> doesn't seem to be anything else which keeps RIRs relevant in the
>>> post-scarcity world, so we'll see what happens.
>>=20
>> Could you elaborate on what those issues are?=20
>=20
> A year ago, RIPE NCC received legal advice that RPKI-based takedowns
> would not happen under Dutch law because Dutch law lacked any
> provisions for that. This was used to deflect criticism that RPKI
> deployment would result in too much concentration of power:
>=20
> =
<http://www.ripe.net/ripe/mail/archives/address-policy-wg/2011-May/005858.=
html>
>=20
> The legal analysis turned out to be incomplete and the results
> incorrect---legal counsel failed to consider public order legislation.
> The validaty of such an order (issued in the Dnschanger context) is
> currently being challenged in a Dutch court.
>=20
> =46rom the comments on these events, I infer that RIPE NCC still does
> not want to exercise this level of control over routing, and the RIPE
> community does not want RIPE to have such control. But assuming that
> the order stands, RPKI will provide RIPE NCC with a tool that nobody
> wants it to have, and RIPE NCC can be forced to use it. Depending on
> the seriousness of those concerns, that's the end of RPKI deployment.
>=20
> (However, the most likely outcome of the current court case is that
> this particular police order will be found invalid on a formality,
> such as lack of effectiveness, providing little insight on the
> validity of future orders which are more carefully crafted.)
>=20
> Regarding the post-scarcity future, if most address holders never have
> to come back to the RIR to request more addresses, the number of
> address-related RIR/LIR transactions will decrease. Organizations
> have a tendency to resist decreases in business (even non-profits),
> and RPKI is an obvious source of future business.
>=20
--Apple-Mail=_E8957F66-3080-4D97-84FD-12E0C9451F30
Content-Disposition: attachment;
filename=smime.p7s
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGgDCCBnww
ggVkoAMCAQICChKdl94AAAAAAFswDQYJKoZIhvcNAQEFBQAwYDETMBEGCgmSJomT8ixkARkWA25l
dDEUMBIGCgmSJomT8ixkARkWBHJpcGUxFjAUBgoJkiaJk/IsZAEZFgZzaW5nZWwxGzAZBgNVBAMT
EnNpbmdlbC1DSEFLT1RBWS1DQTAeFw0xMTEyMTMyMTA5MzhaFw0xMjEyMTIyMTA5MzhaMIGcMRMw
EQYKCZImiZPyLGQBGRYDbmV0MRQwEgYKCZImiZPyLGQBGRYEcmlwZTEWMBQGCgmSJomT8ixkARkW
BnNpbmdlbDERMA8GA1UECxMIYWNjb3VudHMxETAPBgNVBAsTCFRyYWluaW5nMRIwEAYDVQQDEwlB
bGV4IEJhbmQxHTAbBgkqhkiG9w0BCQEWDmFsZXhiQHJpcGUubmV0MIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQDEPiQlF+TQYCvPJ8cVUc5MTbdE5KuQhIH1kM/YDCjpT5WG/RmPThZjsSI9+9ks
W96XNTOwYR5QIkoFb3B66x5H5KfjdI663R9EUA5h0UDla5vnELCyBeDKSxRx+ikmPHEvv0McZTyX
OrJ6sECyQ4NpVKIn8ATB8MLzlKG8w8WcRQIDAQABo4IDfTCCA3kwFwYJKwYBBAGCNxQCBAoeCABV
AHMAZQByMB0GA1UdDgQWBBR9//WoWoR6weYwP9Sxkl3PNJTmFjAOBgNVHQ8BAf8EBAMCBaAwHwYD
VR0jBBgwFoAUcUDZm8Q8qhTSJLIBxWByJ++A64AwggEgBgNVHR8EggEXMIIBEzCCAQ+gggELoIIB
B4aBwWxkYXA6Ly8vQ049c2luZ2VsLUNIQUtPVEFZLUNBLENOPWNoYWtvdGF5LENOPUNEUCxDTj1Q
dWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXNp
bmdlbCxEQz1yaXBlLERDPW5ldD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0
Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnSGQWh0dHA6Ly9jaGFrb3RheS5zaW5nZWwucmlwZS5u
ZXQvQ2VydEVucm9sbC9zaW5nZWwtQ0hBS09UQVktQ0EuY3JsMIIBNQYIKwYBBQUHAQEEggEnMIIB
IzCBuAYIKwYBBQUHMAKGgatsZGFwOi8vL0NOPXNpbmdlbC1DSEFLT1RBWS1DQSxDTj1BSUEsQ049
UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1z
aW5nZWwsREM9cmlwZSxEQz1uZXQ/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRp
ZmljYXRpb25BdXRob3JpdHkwZgYIKwYBBQUHMAKGWmh0dHA6Ly9jaGFrb3RheS5zaW5nZWwucmlw
ZS5uZXQvQ2VydEVucm9sbC9jaGFrb3RheS5zaW5nZWwucmlwZS5uZXRfc2luZ2VsLUNIQUtPVEFZ
LUNBLmNydDApBgNVHSUEIjAgBgorBgEEAYI3CgMEBggrBgEFBQcDBAYIKwYBBQUHAwIwQAYDVR0R
BDkwN6AlBgorBgEEAYI3FAIDoBcMFWFsZXhiQHNpbmdlbC5yaXBlLm5ldIEOYWxleGJAcmlwZS5u
ZXQwRAYJKoZIhvcNAQkPBDcwNTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAcGBSsO
AwIHMAoGCCqGSIb3DQMHMA0GCSqGSIb3DQEBBQUAA4IBAQAGOufDj5XGO0zZMii/HBsEGTypqDoV
THQwLtzZcofpTHPjgxVkzKEF6xcVflRA/XktZfpMP4/H9xGzRRIYT/ociFeScJBA1vwG1ZP2lKA/
92To0hn9RiPPBEpZMv3cVOsQlVwkrzyY/3yo6K9KuduY5MCzeLrVmYk9m6EONO6HUe5E0fmnNoeT
kJfter/8DuUjvRxWIbpNf4fW/xJWnWm4+qhT1zYut+60w5t8vZQ8OxA1nOrIiJDFqwzArrRFZCa0
B5waOV3rlxrJdAnE8nmPVPgwJnjEIxc/kkFxVjPX/jWtMAmtXUzKLbHYwLbmB8Y/1QyXJNtngY1I
XVnYlukeMYICdTCCAnECAQEwbjBgMRMwEQYKCZImiZPyLGQBGRYDbmV0MRQwEgYKCZImiZPyLGQB
GRYEcmlwZTEWMBQGCgmSJomT8ixkARkWBnNpbmdlbDEbMBkGA1UEAxMSc2luZ2VsLUNIQUtPVEFZ
LUNBAgoSnZfeAAAAAABbMAkGBSsOAwIaBQCgggFdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEw
HAYJKoZIhvcNAQkFMQ8XDTEyMDQyODEzMDQ1MlowIwYJKoZIhvcNAQkEMRYEFGVwxGrIyFRfWQZ4
r2l8VMXVztiYMH0GCSsGAQQBgjcQBDFwMG4wYDETMBEGCgmSJomT8ixkARkWA25ldDEUMBIGCgmS
JomT8ixkARkWBHJpcGUxFjAUBgoJkiaJk/IsZAEZFgZzaW5nZWwxGzAZBgNVBAMTEnNpbmdlbC1D
SEFLT1RBWS1DQQIKEp2X3gAAAAAAWzB/BgsqhkiG9w0BCRACCzFwoG4wYDETMBEGCgmSJomT8ixk
ARkWA25ldDEUMBIGCgmSJomT8ixkARkWBHJpcGUxFjAUBgoJkiaJk/IsZAEZFgZzaW5nZWwxGzAZ
BgNVBAMTEnNpbmdlbC1DSEFLT1RBWS1DQQIKEp2X3gAAAAAAWzANBgkqhkiG9w0BAQEFAASBgDBW
/jtb1xHXJ4kJeSxNw8I8rAChjt8foXm2WHbv1uxqVrYX4cibVvmx3tlGxZS8VT/yBOiwhJxZNrBC
XO7v/1N5SXHguBJB2a1bDfX8SiBAWNxtoIknMn2ngQMcFb7GJOR+BwqoOESihlk1LL/+qRRcH6AP
BPyRhefbA6as9HBhAAAAAAAA
--Apple-Mail=_E8957F66-3080-4D97-84FD-12E0C9451F30--
