arin and ops fora

• Previous message (by thread): arin and ops fora
• Next message (by thread): AltDB?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ vix, apologies for giving you both barrels.  you unintentionally
  pushed a hot button or two ]

> Randy, what is the model you have in mind for running a routing
> registry infrastructure that is sustainable and trustworthy enough for
> uses such as RPKI, i.e. who could/should be running it?

<ietf heresy>
the pki wg sat with their thumbs up their nether sides for a decade
instead of working on a trust topology that mapped something a bit
more operationally realistic than x.500.
</ietf heresy>

so all we have is a hierarchic trust model.  luckily, that matches the
topology of the resources we are tracking, ip address space and asns.
like ipv6, we're not going to go back a few decades and change either
the allocation topology (iana->{rirs+legacy}->...->...) or x.509.

[ and yes, i have put some time into thinking about hacking a pgp-based
  solution.  probably i am just not smart enough.  but i asked a bunch
  of folk smarter than i (target rich environment, i know), and did not
  find optimism. ]

so whether we like it or not, the rpki underlies formally verifiable
routing security.  it's all we have.  and i care a real lot about
formally verifiable routing security.  a real lot.

so this is why i am so deeply concerned about the iana and the rirs'
actions, policies, engineering, operations, ... on this stuff.  we are
married to them whether either side likes it or not, at least until the
youngest kid leaves for uni or gets a job.

> I guess I'm arguing that from my non-North-American perspective, an
> ARIN with a carefully extended mandate could be of much help here.  So
> even if you're unhappy with the current ARIN governance, maybe it
> would still be worthwhile for the community to fix that issue - unless
> there are credible alternatives.

i do not see much alternative.  maybe if we could pry the iana away from
the domainer slime and the usg and maybe move it to iceland, it could
allocate directly and we could dump the regional address cartel.  but it
it not likely.  so we as the ops community need to work to make the
iana/rir system, pretty much as it is today, do the rpki deployment in a
manner we can trust and with which we can be comfortable.

randy

• Previous message (by thread): arin and ops fora
• Next message (by thread): AltDB?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]