ARIN RPKI TAL deployment issues

Job Snijders job at ntt.net
Tue Sep 25 21:04:26 UTC 2018


Dear John,

On Tue, Sep 25, 2018 at 08:28:54PM +0000, John Curran wrote:
> On 25 Sep 2018, at 3:34 PM, Job Snijders <job at ntt.net> wrote:
> > 
> > On Tue, Sep 25, 2018 at 03:07:54PM -0400, John Curran wrote:
> >> On Sep 25, 2018, at 1:30 PM, Job Snijders <job at ntt.net> wrote:
> >>> 
> >>>   """Using the data, we can also see that the providers that have not
> >>>   downloaded the ARIN TAL. Either because they were not aware that
> >>>   they needed to, or could not agree to the agreement they have with
> >>>   it.
> >> 
> >> Is it possible to ascertain how many of those who have not downloaded
> >> the ARIN TAL are also publishing ROA’s via RIPE’s CA?
> > 
> > I'm sure we could extend the data set to figure this out. 
> 
> It would be informative to know how many organizations potentially
> have concerns about the indemnification clause in the RPA but already
> agree to indemnification via RIPE NCC Certification Service Terms and
> Conditions.

This seems a matter of personal curiosity that perhaps distracts from
the problem at hand: the ARIN TAL is less widely deployed than the other
TALs.

I'm open to solutions or suggestions to get the ARIN TAL more widely
distributed, however I do think that inclusion in the RPKI Cache
Validators is a *key* element, so the ARIN TAL can be used after a
default installation of such software.

We really need to bring it back down to "apt install rpki-cache-validator"
to best serve the interests of the ARIN members. Imagine the Chrome
browser shipping without any of the TLS Root Certificates, or Unbound
without the DNSSEC root key!

Kind regards,

Job


More information about the NANOG mailing list