rpki vs. secure dns?

• Previous message (by thread): rpki vs. secure dns?
• Next message (by thread): rpki vs. secure dns?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 28/04/2012 14:04, Alex Band wrote:
> At RIPE 63, six months ago, the RIPE NCC membership got a chance to vote
> on RPKI at the general meeting. The result was that the RIPE NCC has the
> green light to continue offering the Resource Certification service,
> including all BGP Origin Validation related functionality. It's correct
> that concerns were raised in the area of security, resilience and
> operator autonomy, as you mention. These concerns are continuously being
> evaluated and addressed. The response to the update that was given at
> RIPE 64 two weeks ago indicated that the membership and Community are
> happy with the approach the RIPE NCC is taking in this regard. Of course
> I realize that some people will never be convinced, no matter which
> steps are taken…

Alex, I have to take exception with your statement that people in the RIPE
region are generally happy about RPKI and the RIPE NCC RPKI project. They
aren't.

On the basis of some initial interest in the RIPE community several years
ago, the RIPE NCC embarked on a certification + rpki project.  By way of
clarification for other readers of this mailing list, the RIPE NCC is a
Dutch company constituted to carry out the policy requirements of the RIPE
community.  The way this is supposed to work is that the RIPE community
puts forward policy proposals, and the RIPE NCC carries these policies out.

Some time after the certification project was started in the NCC, a policy
proposal (2008-08) was floated in the RIPE community in order to turn this
into official RIPE policy, so that it could be formally carried out by the
RIPE NCC.

Mid last year, after extensive and heated discussion on the address policy
working group mailing list, that policy proposal was withdrawn from the
RIPE policy development process because it was clear that a large number of
people in the RIPE community were deeply uneasy about a variety of
implications.  It is true that some of these concerns have been addressed
to some extent by the NCC, but the core issues of concern are fundamental
to RPKI.

Later that year, several potential proposals were put forward by the RIPE
NCC board at the Nov 2011 general meeting concerning the future of the RIPE
NCC certification project.  The RIPE NCC members - who are a fee-paying
subset of the RIPE community - voted by 52% to 48% to keep funding the
project.  By any objective measure, this is an alarmingly slim majority.

In short:

-  a substantial number of people, both within the RIPE community and
within the RIPE NCC membership have serious concerns about the long-term
legal consequences of this project which have not (in their opinion) been
addressed adequately.

-  the RIPE NCC is now funding a project for which there is no consensus
policy supported by the RIPE community, and is doing this on the basis of a
hair's breath majority vote amongst its membership.

Nick

• Previous message (by thread): rpki vs. secure dns?
• Next message (by thread): rpki vs. secure dns?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]