AltDB?

Christopher Morrow morrowc.lists at gmail.com
Sat Jan 8 19:47:47 UTC 2011


On Sat, Jan 8, 2011 at 1:10 PM, Jon Lewis <jlewis at lewis.org> wrote:
> Getting back to the original topic...sort of:

thanks!

> [1] Don't care is probably too strong.  At this point in time, I don't think
> it makes sense to get hung up on it and refuse to do any authentication if
> we're not doing RPKI, but not implement RPKI, because we haven't worked out
> all the details on how it'll be done.  As it is, rr.arin.net is pretty much
> worthless.

I don't think rr.arin.net and RPKI have anything to do with each
other. I think the direction the RPKI should/is taking is to have the
RIR sign a ROA to the ORG that they allocate the address space to...
Similarly the ORG (if they are an N|LIR-type) will sign a ROA to the
ORG that they assign address space to.

Ideally you should be able to ask the RPKI system: "I have 1.2.3.0/24
in a bgp announcement, origin'd by AS1234. Is that proper?" Ideally
that magic doesn't happen on the "router" but a digested form of the
data is available making much of the heavy-lifting not router-based.

The parts of the puzzle here that ARIN (or really any RIR) is
responsible for are the 'signing roas to allocatees' (the "up/down
protocol" as it's referred to in the drafts -
<http://tools.ietf.org/html/draft-ietf-sidr-rescerts-provisioning-09>
and potentially having a system which permits end-users/ORGs to enter
data which generates ROA data (and sends that along to some
publication point for the rest of the routing world to
download/digest).

I believe the 'up/down protocol' part here is critical, the "web
server" part ... I'm not sure is so critical, maybe a third party
makes that happen outside of the ARIN management chain?

Using someone not yourself (ARIN or another third party) to manage
your ROA data means you probably have (in the most simple case) given
the ability to that third party to sign objects for you, that means
they have your private key(s) and can break you by
mistake/malfeasance/oversight/etc. For this reason some folks may be
ok with using a third party, many will choose to hold their fate in
their own hands.

-Chris




More information about the NANOG mailing list