[ncc-services-wg] RPKI Resource Certification: building features

• Previous message (by thread): [ncc-services-wg] RPKI Resource Certification: building features
• Next message (by thread): [ncc-services-wg] RPKI Resource Certification: building features
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 4 Oct 2010, at 23:18, Randy Bush wrote:

>> 1) We have not implemented support for this yet. We plan to go live
>> with the fully hosted version first and extend it with support for
>> non-hosted systems around Q2/Q3 2011.
>
> this is a significant slip from the 1q11 we were told in prague.  care
> to explain.

Let me run you through the roadmap and the motivation for our choices  
at RIPE61. In short, everything we do is about providing *value* for  
our membership and the community. This means that with the resources  
we have, we have to make a choice between (1) offering a solution with  
every feature under the sun, but contains little value and usability  
or (2) we choose to do a phased approach where the entry barrier into  
the system is low, hassle is taken away from the operator, value and  
user-friendlyness is high while still being standards compliant and  
keeping the operator in the driver's seat. Soon we'll get to the full  
package where all options, like running your own CA, are available. It  
perhaps just isn't done in the order that a purist would like to see.

Let me illustrate with two examples: I've delivered full day training  
courses on Routing Registry and DNSSEC. With the RR course, by the  
time I was done explaining how to use the IRRToolset to aid in making  
routing decisions based on the IRR, people had given up and decided  
that doing it manually was easier. Like you said at RIPE60: "people  
are voting with their feet." In the DNSSEC training, by the time I was  
done explaining how to do a manual key roll-over, most LIRs decided  
'this is not for me, the cure is worse than the disease'.

This is why I want to get back to my original point, Randy. You agreed  
in your first reply to me that something has to be done to create an  
easy way to get started with the system. We can provide a full,  
standards-compliant solution with up/down and every other feature, but  
how is that going to get all ~350,000 prefixes and ~35,000 ASs into  
the system with ROAs? Manually? I proposed an IRR+BGP import system as  
a value-added tool to help a network operator get started making ROAs.  
That's a pretty good starting point. Where do you suggest we go from  
here?

Of course I appreciate everyone else's response to this thread as  
well! :)

Cheers,

-Alex

• Previous message (by thread): [ncc-services-wg] RPKI Resource Certification: building features
• Next message (by thread): [ncc-services-wg] RPKI Resource Certification: building features
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]