ARIN resource certification service update

John Curran jcurran at arin.net
Thu Jan 6 16:17:51 UTC 2011 

On Jan 5, 2011, at 5:32 PM, Randy Bush wrote:

>> 1) If ARIN doesn't provide the level of authentication you desire, as
>> an ARIN member you should send a note to ppml each day until it's
>> available
> 
> this is not address policy.  this is ops.  surely one does not have to
> dirty one's self with the ppml list to get an ops fix done in arin.  it
> is not address policy.
> 
> i have a rumor that arin is delaying and possibly not doing rpki that
> seems to have been announced on the ppml list (to which i do not
> subscribe).  as it has impact on routing, not address policy, across
> north america and, in fact the globe, one would think it would be
> announced and discussed a bit more openly and widely.

Randy - 

   Excellent point; my apologies for not realizing this sooner and
   posting some information directly for consideration by the NANOG 
   community.

   Attached is a message from the arin-discuss mailing list which 
   has some more context; please feel free to discuss this on the 
   arin-discuss mailing list or here on NANOG (as appropriate)

Thanks!
/John

Begin forwarded message:

> From: John Curran <jcurran at arin.net>
> Date: January 6, 2011 11:08:39 AM EST
> To: "George, Wes E [NTK]" <Wesley.E.George at sprint.com>
> Cc: "arin-discuss at arin.net" <arin-discuss at arin.net>
> Subject: Re: [arin-discuss] Important Update Regarding Resource Certification
> 
> On Jan 6, 2011, at 9:32 AM, George, Wes E [NTK] wrote:
> 
>> There have been some threads about this on NANOG in the last few days. Can
>> we get a bit clearer explanation of what the specific security concerns are
>> and why they are delaying things? It may also make sense for someone from
>> ARIN to post to NANOG with an explanation as well. If there are security
>> concerns, it is something that the community should be aware of in case
>> other RIRs or the SIDR WG need to be considering those issues as well.
>> 
>> Thanks, 
>> Wes George
> 
> George - 
> 
>   The security concerns are not specificly related to the RPKI
>   protocol, but inherent implications of any service that might 
>   be heavily relied upon for real-time network operations, i.e.
>   I don't think it's a SIDR WG matter, but simply part of the
>   due diligence associated with the service as noted below.
> 
>   While the RIRs presently provide services which are used to 
>   support operations (such as WHOIS and Reverse DNS services),
>   failure of RIR resource certification services could have 
>   some very significant consequences, particularly in the case
>   of incorrect data as opposed to simply unavailable data.  
>   There are some potential liability implications of operating 
>   such a service that ARIN is presently reviewing in depth.  I 
>   need to also note that these issues exist even in the case of 
>   a perfectly secure and operational service, in that an error
>   by an ISP using ARIN's services (e.g. having entered the wrong 
>   AS number into a ROA for a major customer) could result in 
>   ARIN needing to readily "prove" the integrity of its resource 
>   certification system as well as fidelity of performance against 
>   the operators request.
> 
>   This has led ARIN to consider some aspects of its resource 
>   certification design, specifically to mitigate potential risks
>   in the areas of non-repudiation and multi-party controls. Even
>   so, the ultimate decision in these matters lies with the ARIN 
>   Board, as there is always going to be residual risk associated
>   with any operations-related service provided by ARIN (note also
>   that we have also discussed these issues with the other RIRs, 
>   but as they don't operate in ARIN's highly-litigous region, it   
>   is not necessarily a similar priority for their consideration)
> 
>   To the extent that ARIN offering resource certification services 
>   is important to your plans, it would good to express such needs
>   on the arin-discuss mailing list. This helps us gauge the demand
>   which obviously is another important factor to be considered in
>   making the final determination on offering these services.
> 
>   We intend to have more detailed information out later this month
>   once the plans for finalized, but I hope the above information
>   provides some insight into the process at this point.  I will 
>   post this to the NANOG list for the community's information.
> 
> Thanks!
> /John
> 
> John Curran
> President and CEO
> ARIN
> 
> p.s.  I'm presently on a Caribbean cruise ship on a bona fide 
>      family vacation, so please recognize that replies may 
>      be deferred to off hours so that my laptop isn't thrown 
>      overboard... ;-)

More information about the NANOG mailing list