ARIN RPKI TAL deployment issues

Jared Mauch jared at puck.nether.net
Tue Sep 25 23:11:52 UTC 2018


> On Sep 25, 2018, at 4:28 PM, John Curran <jcurran at arin.net> wrote:
> 
> On 25 Sep 2018, at 3:34 PM, Job Snijders <job at ntt.net> wrote:
>> 
>> On Tue, Sep 25, 2018 at 03:07:54PM -0400, John Curran wrote:
>>> On Sep 25, 2018, at 1:30 PM, Job Snijders <job at ntt.net> wrote:
>>>> 
>>>>  """Using the data, we can also see that the providers that have not
>>>>  downloaded the ARIN TAL. Either because they were not aware that
>>>>  they needed to, or could not agree to the agreement they have with
>>>>  it.
>>> 
>>> Is it possible to ascertain how many of those who have not downloaded
>>> the ARIN TAL are also publishing ROA’s via RIPE’s CA?
>> 
>> I'm sure we could extend the data set to figure this out. 
> 
> It would be informative to know how many organizations potentially have concerns about the indemnification clause in the RPA but already agree to indemnification via RIPE NCC Certification Service Terms and Conditions.

It would be interesting to see how much further deployment would have occurred if ARIN made it’s TAL available similar to the other locations.

Thankfully we have active measurements that show that ARIN prefixes are less protected due to this.  As someone that is (for personal reasons) now a voting member of ARIN, this is one of my primary concerns.  My ARIN issued space is _less_ protected than if I were to have used another RIR.  This devalues that investment.  

Instead of asking for an experiment, John I challenge you to make the ARIN TAL available and help play a role in securing the IP space within your region.  There is this mantra of Secure by Default that many people have learned since the open-relay, smurf amplification and other attack days.  There’s a reason my password isn’t a dictionary word, etc.

If you make it easy to secure a website (eg: Lets Encrypt is a great example) there are now fewer self-signed certificates because it’s easier to do.

Why is ARIN making it so hard for it’s members to get the benefits of the global ecosystem for their RIR controlled space?  What makes ARIN IP space so unique in this sense?  As part of a global ecosystem it’s incumbent of many of us to do the right thing here and ARIN is increasing the friction on the part of everyone to do the right thing.

If I had to download the ARIN CA in order to interact with www.arin.net vs it being bundled in my browser store, would I be able to securely interact with ARIN?

Therefore, I once again challenge you as part of the leadership of this organization to make the ARIN IP space as protected as those issued by the other regions.  Let the developers know that if they bundle the ARIN TAL they won’t face legal action.  Help bring routing security to the same ease of use as places like LetsEncrypt do for those in the SSL/TLS ecosystem.

- Jared Mauch
(Representing my own self/WFPL-1)


More information about the NANOG mailing list