Those are fair points Sandy, I agree they need to be resolved.
It's just that RPKI feels like a _really heavy solution to _that problem. That said, if that problem were solved nearly all of what I care about with regard to routing security (and inter-domain anti-spoofing) could be addressed.
-danny
you just happen to have the view from a third world country
look at.
http://archive.psg.com/141006.rpki-nanog.pdf slides 4 & 5
or
http://certification-stats.ripe.net/?type=roa-v4
randy
I agree with Randy. RPKI is achievable today. Signing routes is a trivial
amount of effort, there is really no excuse to not do it. Even i did it.
Validation does take effort, but it is consistent with the level of effort
to deploy any new router feature.
CB
Randy -
To what extent is the ROA growth rate in the RIPE region (on
page 5 of the NANOG slides) enabled by the IRR practices of
that region?
I do recognize that there are issues (as Wes nicely identified
in Baltimore and which we'll be working on) that get in the way
of RPKI deployment in the ARIN region, but those issues are not
present other non-RIPE regions - yet the number actual ROA's
issued still appears to be rather low...
Thoughts?
/John
John Curran
President and CEO
ARIN
john
To what extent is the ROA growth rate in the RIPE region (on page 5 of
the NANOG slides) enabled by the IRR practices of that region?
check out slide 3, lacnic has a 20% adoption rate. both ripe and lacnic
have put energy into their own systems, educating users, ... ripe's
curve would not seem to show correlation with recent liberalization of
policy, but i doubt it is wise to twy to squeeze cause out of curves.
I do recognize that there are issues (as Wes nicely identified in
Baltimore and which we'll be working on) that get in the way of RPKI
deployment in the ARIN region, but those issues are not present other
non-RIPE regions - yet the number actual ROA's issued still appears to
be rather low...
20% coverage in lacnic low? how do ipv6 and dnssec compare (which is
damned sad)? over 2,000 in ripe and over 8%? how does that compare to
ipv6?
arin, 388 and 0.7%, a joke. slide 5 "It’s What Happens When You Let
Lawyers and Wannabe Regulators Run the Internet"
i really loved the arin ac guy i met in baltimore who did not think
having arin meet at nanog was good because those operators just did not
get how to regulate the internet. you've been captured by the tea
party.
randy
LACNIC numbers (as a percent) are quite good, but my question
was why only RIPE has the very impressive total count of ROAs.
You can clearly point to ARIN's legal treatment of the risks involved,
but that is not applicable in the APNIC case....
You don't feel there's any correlation between RIPE's IRR approach
and their RPKI success?
/John
John Curran
President and CEO
ARIN
it's just a consequence that our initial idea was just about to protect allocations of our members - not about secure routing at all
John
- it is not about RPK
I - our initial goal was to deploy some kind of certification to resources allocated to our members
Dmitry
If we use for it some SIDR developments - may be - it is a mistake or misentrepration - but what's true that we never thougy
LACNIC numbers (as a percent) are quite good, but my question
was why only RIPE has the very impressive total count of ROAs.
< conjecture follows >
of course one can never know. but i conject
o the are the largest registry actively promotin registration
o the ncc, particularly alex, tim, oleg, ... have put significant
effort into making it very easy to register
o they have a culture of cooperation and doing things well
You can clearly point to ARIN's legal treatment of the risks involved,
but that is not applicable in the APNIC case....
it is hard to register in apnic, ask folk who have tried. the most
active folk are under NIRs, who are only now working on deployment.
apnic is not really promoting it.
You don't feel there's any correlation between RIPE's IRR approach and
their RPKI success?
that's the cooperative culture bit, actually interested in the net
running well.
randy
LACNIC numbers (as a percent) are quite good, but my question
was why only RIPE has the very impressive total count of ROAs.< conjecture follows >
of course one can never know. but i conject
o the are the largest registry actively promotin registration
o the ncc, particularly alex, tim, oleg, ... have put significant
effort into making it very easy to register
o they have a culture of cooperation and doing things well
Reasonable conjecture; implies that in this region we need to overcome
our interesting legal situation, make things easy to use, and then do
some significant promotion.
You can clearly point to ARIN's legal treatment of the risks involved,
but that is not applicable in the APNIC case....it is hard to register in apnic, ask folk who have tried. the most
active folk are under NIRs, who are only now working on deployment.
apnic is not really promoting it.
Ah, good to know (and reinforces potential ARIN issues beyond legal
wrangling)
You don't feel there's any correlation between RIPE's IRR approach and
their RPKI success?that's the cooperative culture bit, actually interested in the net
running well.
Presumably the NANOG community is also interested in keeping the net
running well, so if ARIN can provide some reasonably usable services,
that shouldn't be an issue.
Thanks!
/John
John Curran
President and CEO
ARIN