This message is sent to the whole nanog list, rather than the
nanog-attendees list, as I'm not sure who would be watching that
list when the conference is over.
I stood up to ask a question at the end of Mark Koster's presentation
yesterday, but before I got to the end of the table, he was being applauded
and leaving the stage. I must be too short.
The presentation said that ARIN would be doing a lot of work to
improve the IRR. The last I asked, the ARIN IRR did not support the
RPSS (Routing Policy System Security - RFC2725). RIPE supports this,
I know. Will the ARIN improvements include support for RPSS?
The presentation talked about the RPKI pilot, and Mark said that
ARIN would be using the RIPE code. I believe RIPE has or had a couple
different attempts at this, so I'm not sure what features the code
you use will have. Will you have the ability to hand certs to ISPs
so that they can do their own cert generation for the allocations
they hand to their own customers? I.e., is ARIN going to run a
service just for its members, or will it enable its members to
participate in the RPKI themselves?
--Sandy
This message is sent to the whole nanog list, rather than the
nanog-attendees list,
How come there is a nanog-attendees list disjunct from the nanog list.
Wouldn't it be natural to broadcast any kind of content to the
entire community?
Cheers,
mh
as I'm not sure who would be watching that
list when the conference is over.
I stood up to ask a question at the end of Mark Koster's presentation
yesterday, but before I got to the end of the table, he was being applauded
and leaving the stage. I must be too short.
The presentation said that ARIN would be doing a lot of work to
improve the IRR. The last I asked, the ARIN IRR did not support the
RPSS (Routing Policy System Security - RFC2725). RIPE supports this,
I know. Will the ARIN improvements include support for RPSS?
Interesting, yes.
The presentation talked about the RPKI pilot, and Mark said that
ARIN would be using the RIPE code. I believe RIPE has or had a couple
different attempts at this, so I'm not sure what features the code
you use will have. Will you have the ability to hand certs to ISPs
so that they can do their own cert generation for the allocations
they hand to their own customers? I.e., is ARIN going to run a
service just for its members, or will it enable its members to
participate in the RPKI themselves?
As well.
--Sandy
mh
Umm... "Presentation XYZ has been moved from the Blue Room to the Paisley Room"
and similar administrivia of interest only to actual attendees?
nanog-attendees is intended to be used for social and specific conference related topics. Topics discussed at the conference with operational relevance should be here on the main list.
If anyone feels the need to follow up on the nanog-attendees/nanog distinction, please do so on nanog-futures.
Thanks!
Kris
MLC Chair
Michael Hallgren wrote:
This message is sent to the whole nanog list, rather than the
nanog-attendees list,
How come there is a nanog-attendees list disjunct from the nanog list.
Wouldn't it be natural to broadcast any kind of content to the
entire community?
Before we had a nanog-attendees list, the nanog list would be bombarded with posts that were of no interest to people who weren't actually at the conference, such as issues with the conference wifi, issues with schedule conflicts, chatter about outside events in the host city, etc. It makes perfect sense to have a nanog-attendees list to keep those discussions off the main nanog list.
I believe you can join the nanog attendees list without actually attending a nanog conference, if you want to get everything-nanog in your inbox.
jc
OK. More info's good thing, better than less info... And we all know how
to read and filter mail. Right? 
No harm, TTYS,
mh
Thanks MLC Chair, so will be.
mh
Hi Sandy
The presentation said that ARIN would be doing a lot of work to
improve the IRR. The last I asked, the ARIN IRR did not support the
RPSS (Routing Policy System Security - RFC2725). RIPE supports this,
I know. Will the ARIN improvements include support for RPSS?
The current effort will only allow for ipv6 objects (route6/inet6num). Further
enhancements to ARIN's IRR will be coupled together with improvements to ARIN
Online that will be announced in the future.
The presentation talked about the RPKI pilot, and Mark said that
ARIN would be using the RIPE code. I believe RIPE has or had a couple
different attempts at this, so I'm not sure what features the code
you use will have. Will you have the ability to hand certs to ISPs
so that they can do their own cert generation for the allocations
they hand to their own customers? I.e., is ARIN going to run a
service just for its members, or will it enable its members to
participate in the RPKI themselves?
We are using the same code that RIPE is using at http://certtest.ripe.net.
RIPE has been very kind to allow us to use their code. As for ARIN,
this is a pilot and is certainly not a final fixed-feature set. The
first go of this is the "hosted" solution where an ISP can come into
ARIN's pilot and create ROAs based off of allocations that they
have received from ARIN.
All the ROAs will be placed into a rsync repository that can be retrieved
and validated. Specifically, here are the features that are a part of the
system:
* Enables ARIN resource holders to request certificates for their IPv4 and
IPv6 Provider Aggregatable (PA) resources
* Enables ARIN resource holders to manage Route Origin Authorizations (ROAs)
for their PA address space
* Provides a public repository of certificates and ROAs
* Handles key rollovers and revocations
Thanks,
Mark
The current effort will only allow for ipv6 objects
(route6/inet6num).
s/allow for/add support for/
i hope
We are using the same code that RIPE is using at http://certtest.ripe.net.
RIPE has been very kind to allow us to use their code. As for ARIN,
this is a pilot and is certainly not a final fixed-feature set. The
first go of this is the "hosted" solution where an ISP can come into
ARIN's pilot and create ROAs based off of allocations that they
have received from ARIN.
All the ROAs will be placed into a rsync repository that can be retrieved
and validated. Specifically, here are the features that are a part of the
system:
* Enables ARIN resource holders to request certificates for their IPv4 and
IPv6 Provider Aggregatable (PA) resources
* Enables ARIN resource holders to manage Route Origin Authorizations (ROAs)
for their PA address space
* Provides a public repository of certificates and ROAs
* Handles key rollovers and revocations
the simple version of the question: who holds my private key(s)?
the longer version: does this implement my having my own subsidiary CA
with it communiciating with ARIN's and RIPE's ... using the protocols of
the ietf sidr work?
randy
We are using the same code that RIPE is using at http://certtest.ripe.net.
RIPE has been very kind to allow us to use their code. As for ARIN,
this is a pilot and is certainly not a final fixed-feature set. The
first go of this is the "hosted" solution where an ISP can come into
ARIN's pilot and create ROAs based off of allocations that they
have received from ARIN.
All the ROAs will be placed into a rsync repository that can be retrieved
and validated. Specifically, here are the features that are a part of the
system:
* Enables ARIN resource holders to request certificates for their IPv4 and
IPv6 Provider Aggregatable (PA) resources
* Enables ARIN resource holders to manage Route Origin Authorizations (ROAs)
for their PA address space
* Provides a public repository of certificates and ROAs
* Handles key rollovers and revocations
the simple version of the question: who holds my private key(s)?
i guess the answer is ARIN does. not very private are they.
the longer version: does this implement my having my own subsidiary CA
with it communiciating with ARIN's and RIPE's ... using the protocols of
the ietf sidr work?
i guess not.
so how do i, a transit provider arin member, get certs and roas for my
downstream multi-homed customers?
randy