[arin-announce] ARIN Resource Certification Update

Paul Vixie vixie at isc.org
Sat Jan 29 22:00:05 UTC 2011


> From: Alex Band <alexb at ripe.net>
> Date: Sat, 29 Jan 2011 16:26:55 +0100
> 
> ... So the question is, if the RIPE NCC would have required everyone
> to run their own certification setup using the open source tool-sets
> Randy mentions, would there be this much certified address space now?

i don't agree that that question is pertinent.  in deployment scenario
planning i've come up with three alternatives and this question is not
relevant to any of them.  perhaps you know a fourth alternative.  here
are mine.

1. people who receive routes will prefer signed vs. unsigned, and other
people who can sign routes will sign them if it's easy (for example,
hosted) but not if it's too hard (for example, up/down).

2. same as #1 except people who really care about their routes (like
banks or asp's) will sign them even if it is hard (for example, up/down).

3. people who receive routes will ignore any unsigned routes they hear,
and everyone who can sign routes will sign them no matter how hard it is.

i do not expect to live long enough to see #3.  the difference between #1
and #2 depends on the number of validators not the number of signed routes
(since it's an incentive question).  therefore small differences in the
size of the set of signed routes does not matter very much in 2011, and
the risk:benefit profile of hosted vs. up/down still matters far more.

> Looking at the depletion of IPv4 address space, it's going to be
> crucially important to have validatable proof who is the legitimate
> holder of Internet resources. I fear that by not offering a hosted
> certification solution, real world adoption rates will rival those of
> IPv6 and DNSSEC. Can the Internet community afford that?

while i am expecting a rise in address piracy following depletion, i am
not expecting #3 (see above) and i think most of the piracy will be of
fallow or idle address space that will therefore have no competing route
(signed or otherwise).  this will become more pronounced as address
space holders who care about this and worry about this sign their routes
-- the pirates will go after easier prey.  so again we see no material
difference between hosted and up/down on the deployment side or if there
is a difference it is much smaller than the risk:benefit profile
difference on the provisioning side.

in summary, i am excited about RPKI and i've been pushing hard for in
both my day job and inside the ARIN BoT, but... let's not overstate the
case for it or kneejerk our way into provisioning models whose business
sense has not been closely evaluated.  as john curran said, ARIN will
look to the community for the guideance he needs on this question.  i
hope to see many of you at the upcoming ARIN public policy meeting in
san juan PR where this is sure to be discussed both at the podium and in
the hallways and bar rooms.

Paul Vixie
Chairman and Chief Scientist, ISC
Member, ARIN BoT




More information about the NANOG mailing list