[152415] in North American Network Operators' Group
Re: rpki vs. secure dns?
daemon@ATHENA.MIT.EDU (Alex Band)
Sat Apr 28 09:20:11 2012
From: Alex Band <alexb@ripe.net>
In-Reply-To: <20120428125758.GC30278@sources.org>
Date: Sat, 28 Apr 2012 15:19:39 +0200
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Cc: Paul Vixie <vixie@isc.org>, Florian Weimer <fw@deneb.enyo.de>,
"nanog@nanog.org list" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--Apple-Mail=_85A244CF-6613-4D8C-8DE1-79B12742239C
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
On 28 Apr 2012, at 14:57, Stephane Bortzmeyer wrote:
> On Sat, Apr 28, 2012 at 12:34:52PM +0200,
> Alex Band <alexb@ripe.net> wrote=20
> a message of 41 lines which said:
>=20
>> In reality, since the RIRs launched an RPKI production service on 1
>> Jan 2011, adoption has been incredibly good (for example compared to
>> IPv6 and DNSSEC). More than 1500 ISPs and large organizations
>> world-wide have opted-in to the system and requested a resource
>> certificate using the hosted service, or running an open source
>> package with their own CA.=20
>=20
> I have an experience with the deployment of DNSSEC and the problem
> with DNSSEC was not to have signed zones (many are, now) but to have
> people *using* these signatures to check the data (i.e. validating in
> a resolver).
>=20
> RPKI has many ROA (signed objects) but how many operators validate
> routes on their production routers? Zero?
First you need a robust system and reliable data. Native router support =
is coming along. We could be getting to a stage where people will use =
the data in production. Time will tell...
>> But it's not just that, these ISPs didn't just blindly get
>> certificate and walk away.
>=20
> Most of the ROAs are very recent. Again, the experience with DNSSEC
> shows that starting is easy ("DNSSEC in siw minutes"). It's long term
> management which is *the* problem. Wait until people start to change
> the routing data and watch the ROAs becoming less and less correct...
>=20
>> Data quality is really good.=20
>=20
> It's not what you said:
>=20
> "It is safe to say that overall data quality is pretty bad"
> =
<https://labs.ripe.net/Members/AlexBand/resource-certification-rpki-in-the=
-real-world>=20
> (good paper, by the way, thanks)
A lot has changed since I wrote that. :)
-Alex=
--Apple-Mail=_85A244CF-6613-4D8C-8DE1-79B12742239C
Content-Disposition: attachment;
filename=smime.p7s
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGgDCCBnww
ggVkoAMCAQICChKdl94AAAAAAFswDQYJKoZIhvcNAQEFBQAwYDETMBEGCgmSJomT8ixkARkWA25l
dDEUMBIGCgmSJomT8ixkARkWBHJpcGUxFjAUBgoJkiaJk/IsZAEZFgZzaW5nZWwxGzAZBgNVBAMT
EnNpbmdlbC1DSEFLT1RBWS1DQTAeFw0xMTEyMTMyMTA5MzhaFw0xMjEyMTIyMTA5MzhaMIGcMRMw
EQYKCZImiZPyLGQBGRYDbmV0MRQwEgYKCZImiZPyLGQBGRYEcmlwZTEWMBQGCgmSJomT8ixkARkW
BnNpbmdlbDERMA8GA1UECxMIYWNjb3VudHMxETAPBgNVBAsTCFRyYWluaW5nMRIwEAYDVQQDEwlB
bGV4IEJhbmQxHTAbBgkqhkiG9w0BCQEWDmFsZXhiQHJpcGUubmV0MIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQDEPiQlF+TQYCvPJ8cVUc5MTbdE5KuQhIH1kM/YDCjpT5WG/RmPThZjsSI9+9ks
W96XNTOwYR5QIkoFb3B66x5H5KfjdI663R9EUA5h0UDla5vnELCyBeDKSxRx+ikmPHEvv0McZTyX
OrJ6sECyQ4NpVKIn8ATB8MLzlKG8w8WcRQIDAQABo4IDfTCCA3kwFwYJKwYBBAGCNxQCBAoeCABV
AHMAZQByMB0GA1UdDgQWBBR9//WoWoR6weYwP9Sxkl3PNJTmFjAOBgNVHQ8BAf8EBAMCBaAwHwYD
VR0jBBgwFoAUcUDZm8Q8qhTSJLIBxWByJ++A64AwggEgBgNVHR8EggEXMIIBEzCCAQ+gggELoIIB
B4aBwWxkYXA6Ly8vQ049c2luZ2VsLUNIQUtPVEFZLUNBLENOPWNoYWtvdGF5LENOPUNEUCxDTj1Q
dWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXNp
bmdlbCxEQz1yaXBlLERDPW5ldD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0
Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnSGQWh0dHA6Ly9jaGFrb3RheS5zaW5nZWwucmlwZS5u
ZXQvQ2VydEVucm9sbC9zaW5nZWwtQ0hBS09UQVktQ0EuY3JsMIIBNQYIKwYBBQUHAQEEggEnMIIB
IzCBuAYIKwYBBQUHMAKGgatsZGFwOi8vL0NOPXNpbmdlbC1DSEFLT1RBWS1DQSxDTj1BSUEsQ049
UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1z
aW5nZWwsREM9cmlwZSxEQz1uZXQ/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRp
ZmljYXRpb25BdXRob3JpdHkwZgYIKwYBBQUHMAKGWmh0dHA6Ly9jaGFrb3RheS5zaW5nZWwucmlw
ZS5uZXQvQ2VydEVucm9sbC9jaGFrb3RheS5zaW5nZWwucmlwZS5uZXRfc2luZ2VsLUNIQUtPVEFZ
LUNBLmNydDApBgNVHSUEIjAgBgorBgEEAYI3CgMEBggrBgEFBQcDBAYIKwYBBQUHAwIwQAYDVR0R
BDkwN6AlBgorBgEEAYI3FAIDoBcMFWFsZXhiQHNpbmdlbC5yaXBlLm5ldIEOYWxleGJAcmlwZS5u
ZXQwRAYJKoZIhvcNAQkPBDcwNTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAcGBSsO
AwIHMAoGCCqGSIb3DQMHMA0GCSqGSIb3DQEBBQUAA4IBAQAGOufDj5XGO0zZMii/HBsEGTypqDoV
THQwLtzZcofpTHPjgxVkzKEF6xcVflRA/XktZfpMP4/H9xGzRRIYT/ociFeScJBA1vwG1ZP2lKA/
92To0hn9RiPPBEpZMv3cVOsQlVwkrzyY/3yo6K9KuduY5MCzeLrVmYk9m6EONO6HUe5E0fmnNoeT
kJfter/8DuUjvRxWIbpNf4fW/xJWnWm4+qhT1zYut+60w5t8vZQ8OxA1nOrIiJDFqwzArrRFZCa0
B5waOV3rlxrJdAnE8nmPVPgwJnjEIxc/kkFxVjPX/jWtMAmtXUzKLbHYwLbmB8Y/1QyXJNtngY1I
XVnYlukeMYICdTCCAnECAQEwbjBgMRMwEQYKCZImiZPyLGQBGRYDbmV0MRQwEgYKCZImiZPyLGQB
GRYEcmlwZTEWMBQGCgmSJomT8ixkARkWBnNpbmdlbDEbMBkGA1UEAxMSc2luZ2VsLUNIQUtPVEFZ
LUNBAgoSnZfeAAAAAABbMAkGBSsOAwIaBQCgggFdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEw
HAYJKoZIhvcNAQkFMQ8XDTEyMDQyODEzMTkzOVowIwYJKoZIhvcNAQkEMRYEFMX3vLTX2n175UDM
gOqOoV5q26TBMH0GCSsGAQQBgjcQBDFwMG4wYDETMBEGCgmSJomT8ixkARkWA25ldDEUMBIGCgmS
JomT8ixkARkWBHJpcGUxFjAUBgoJkiaJk/IsZAEZFgZzaW5nZWwxGzAZBgNVBAMTEnNpbmdlbC1D
SEFLT1RBWS1DQQIKEp2X3gAAAAAAWzB/BgsqhkiG9w0BCRACCzFwoG4wYDETMBEGCgmSJomT8ixk
ARkWA25ldDEUMBIGCgmSJomT8ixkARkWBHJpcGUxFjAUBgoJkiaJk/IsZAEZFgZzaW5nZWwxGzAZ
BgNVBAMTEnNpbmdlbC1DSEFLT1RBWS1DQQIKEp2X3gAAAAAAWzANBgkqhkiG9w0BAQEFAASBgEFL
x779KP2FGXUKsrqal1O6/zvAF4HXQDgkeb4Ow8+OkBm0kETd7RRhrQ+PBS8HSZleQ1w7COFZlf4C
SCzJUJJJsgg2OvYLQ1+6u/VvdsSLAkiw6VY4F9nzrS39P6VmDGlCqKOROViGI+v7zZd+rKuzM2HU
35VsdT5GERaxO0YjAAAAAAAA
--Apple-Mail=_85A244CF-6613-4D8C-8DE1-79B12742239C--
