ARIN RPKI TAL deployment issues

Jared Mauch jared at puck.nether.net
Wed Sep 26 00:18:02 UTC 2018


> On Sep 25, 2018, at 7:55 PM, Michel Py <michel.py at tsisemi.com> wrote:
> 
> John,
> 
>> John Curran wrote :
>> 2) They could not agree to ARIN RPA agreement (for which the most cited reason is the indemnification clause, but perplexing given agreement to other indemnification clauses such as RIPE’s Certification services.)
> 
> I would entertain that "could not agree to ARIN RPA" is why they don't use the TAL. I may not be representative, but  I knew I had to download it.
> And maybe you missed a third possibility :
> 3) Nobody really cares about the ARIN TAL because almost nobody has validated a prefix within the ARIN region therefore installing the ARIN TAL is almost useless :-(
> 
> We don't only have a problem withTAL deployment, we also have an adoption issue.
> And possibly an egg-and-chicken issue : nobody deploys the TAL because nobody validates their prefixes, and vice versa.

Actually there are prefixes in the ARIN region with ROAs, and one would presume that issuing the ROA means you want it to be validated as well.  (Similar to hosting a website on SSL vs HTTP or even gopher://)

The intent is at least there, and similar to DNSSEC, publishing your DS record in the parent is part of that explicit configured intent.

Saying “nobody validates their prefixes” is patently false.  You may not.  I may not, but there are a number of networks that are and have advertised that they are.

I’m not saying you need to secure your network, but if you want to secure your routes and have an allocation from ARIN, you really need their TAL to be in the default trust store similar to how you have your PKI trust store in your OS, Browser, etc…

I need my local geographic RIR to care that their anchor is included by default and to make it clear that distributing the TAL is different from _using_ the TAL.  Just because I have CA roots in my browser trust store does not mean I am using them all, but if I need to it will work.

On my Mac when I upgrade Xcode it often asks me to accept the License for what I downloaded.  The same is true if you use gnu parallel, it outputs some wonderful legalese.  There are many comparisons, which is why I’m asking that ARIN permit developers to make it easier for end-users to use the PKI material that makes the global ecosystem more complete and secure.  If to start you have to edit the config file to say “I accept arin license for this”=yes would that work?  We need that outreach and clarity because at present it’s not there by default and there is a communication gap between the various developers and ARIN.

Those that are issuing ROAs (or are soon to) depend on this.  Like I said previously, I’m going to be talking to each ARIN candidate for election this fall about this very topic and what actions they intend to do to support global secure routing.

Michel, It would be a shame if you created a ROA and it could not be validated in some non-english speaking corner of the world that put your assets at risk due to this posture.  The community needs secure by default for all regions and the barriers for ARIN IP space are a real and measured problem.  It’s time to end this disparity as right now not all TALs are equal.  They should be.

- Jared


More information about the NANOG mailing list