rpki vs. secure dns?

Alex Band alexb at ripe.net
Sat Apr 28 08:04:51 CDT 2012


At RIPE 63, six months ago, the RIPE NCC membership got a chance to vote on RPKI at the general meeting. The result was that the RIPE NCC has the green light to continue offering the Resource Certification service, including all BGP Origin Validation related functionality. It's correct that concerns were raised in the area of security, resilience and operator autonomy, as you mention. These concerns are continuously being evaluated and addressed. The response to the update that was given at RIPE 64 two weeks ago indicated that the membership and Community are happy with the approach the RIPE NCC is taking in this regard. Of course I realize that some people will never be convinced, no matter which steps are taken… 

Looking at the bigger picture though, we shouldn't forget that what RPKI, ROVER and the IRR facilitate is merely the ability make a *statement* about routing (with varying degrees of reliability) and doesn't have a direct impact on BGP routing itself. Ultimately, it is up to the network operator to interpret the data that is entered in the system, allow them to make an informed decision and take action they deem appropriate. Everyone has the ability to apply an override on data they do not trust, or have a specific local policy for. In the toolsets for using the RPKI data set for routing decisions, such as the RIPE NCC RPKI Validator, every possible step is taken is taken to ensure that the operator is in the driver's seat. 

Have a look here for a public example: http://rpki.netsign.net:8080/
Or install and try it yourself: http://www.ripe.net/certification/tools-and-resources

Cheers,

Alex

On 28 Apr 2012, at 13:35, Florian Weimer wrote:

> * Alex Band:
> 
>>> I don't know if we can get RPKI to deployment because RIPE and RIPE
>>> NCC have rather serious issues with it.  On the other hand, there
>>> doesn't seem to be anything else which keeps RIRs relevant in the
>>> post-scarcity world, so we'll see what happens.
>> 
>> Could you elaborate on what those issues are? 
> 
> A year ago, RIPE NCC received legal advice that RPKI-based takedowns
> would not happen under Dutch law because Dutch law lacked any
> provisions for that.  This was used to deflect criticism that RPKI
> deployment would result in too much concentration of power:
> 
> <http://www.ripe.net/ripe/mail/archives/address-policy-wg/2011-May/005858.html>
> 
> The legal analysis turned out to be incomplete and the results
> incorrect---legal counsel failed to consider public order legislation.
> The validaty of such an order (issued in the Dnschanger context) is
> currently being challenged in a Dutch court.
> 
> From the comments on these events, I infer that RIPE NCC still does
> not want to exercise this level of control over routing, and the RIPE
> community does not want RIPE to have such control.  But assuming that
> the order stands, RPKI will provide RIPE NCC with a tool that nobody
> wants it to have, and RIPE NCC can be forced to use it.  Depending on
> the seriousness of those concerns, that's the end of RPKI deployment.
> 
> (However, the most likely outcome of the current court case is that
> this particular police order will be found invalid on a formality,
> such as lack of effectiveness, providing little insight on the
> validity of future orders which are more carefully crafted.)
> 
> Regarding the post-scarcity future, if most address holders never have
> to come back to the RIR to request more addresses, the number of
> address-related RIR/LIR transactions will decrease.  Organizations
> have a tendency to resist decreases in business (even non-profits),
> and RPKI is an obvious source of future business.
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2355 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20120428/3288468b/attachment.bin>


More information about the NANOG mailing list