question about Mark Koster's ARIN presentation

Thu Jun 25 20:38:48 UTC 2009

Hi Sandy
On Thu, Jun 18, 2009 at 12:05:20PM -0400, Sandy Murphy wrote:
> The presentation said that ARIN would be doing a lot of work to
> improve the IRR.  The last I asked, the ARIN IRR did not support the
> RPSS (Routing Policy System Security - RFC2725).  RIPE supports this,
> I know.  Will the ARIN improvements include support for RPSS?

The current effort will only allow for ipv6 objects (route6/inet6num). Further
enhancements to ARIN's IRR will be coupled together with improvements to ARIN
Online that will be announced in the future.

> The presentation talked about the RPKI pilot, and Mark said that
> ARIN would be using the RIPE code.  I believe RIPE has or had a couple
> different attempts at this, so I'm not sure what features the code
> you use will have.  Will you have the ability to hand certs to ISPs
> so that they can do their own cert generation for the allocations
> they hand to their own customers?  I.e., is ARIN going to run a
> service just for its members, or will it enable its members to
> participate in the RPKI themselves?

We are using the same code that RIPE is using at http://certtest.ripe.net.
RIPE has been very kind to allow us to use their code.  As for ARIN,
this is a pilot and is certainly not a final fixed-feature set. The
first go of this is the "hosted" solution where an ISP can come into
ARIN's pilot and create ROAs based off of allocations that they
have received from ARIN. 

All the ROAs will be placed into a rsync repository that can be retrieved 
and validated. Specifically, here are the features that are a part of the 
system:

*  Enables ARIN resource holders to request certificates for their IPv4 and 
   IPv6 Provider Aggregatable (PA) resources
*  Enables ARIN resource holders to manage Route Origin Authorizations (ROAs) 
   for their PA address space
*  Provides a public repository of certificates and ROAs
*  Handles key rollovers and revocations

Thanks,
Mark