> On May 6, 2019, at 11:49 AM, Jimmy Hess <[email protected]> wrote: > > On Mon, May 6, 2019 at 1:45 AM Owen DeLong <[email protected]> wrote: > >> Well, this might pose one small problem… ARIN doesn’t approve (or disprove) >> any other RIR’s RPKI, nor does it have any authority or basis for doing so. > > Perhaps this represents a design issue in the RPKI that would likely > be addressed > in due time, then, before promulgating the protocol any further…?
It’s mostly a political problem. In general, seeking technical solutions to political problems tends to work only slightly better than seeking political solutions to technical problems. > That the individual RIRs' should not each have their own separate instance of > a root of the resource PKI in the first place (which each router > would then need to load). There are five of them, so it’s really not that big of a problem. To reduce this to one, you first need to identify an organization that can be Trusted with that authority, literally the ability to revoke the valid status of every route on the internet (or at least every route that has a corresponding ROA in the RPKI system. Who do you nominate for that function? Hint: A US not for profit in Southern California was deemed unacceptable by most of the regions outsid of North America. > There should instead be a single root authority; much like what exists is for > the DNS root signing key for DNSSEC. The difference is that if the DNSSEC signing authority goes rogue, it’s relatively easy to simply turn off DNSSEC in your own zone file and get back online with an unsigned zone. With RPKI, cert revocation by the upstream authority makes your route Invalid until you get a new cert approved by them. The risk profile is radically different. > And the root CA certificate's signing key used to sign an intermediate > root CA, from which > each RIR receives a certificate signed by the intermediary that grants > CA authority > for signing only certificates that are limited to signing only > certificates that can > only validate for IP Number resources contained in the list of IPv4 > and IPv6 blocks > and AS number ranges, which are from the list of the blocks that have > been allocated > by IANA to the respective parent RIR. The PKI 101 course notwithstanding, it’s the risk model associated with this and the single point of potential failure in that system that has people on edge about doing it that way. > Instead of referring to "an ARIN Approved RPKI"; one would mention > "A particular global RPKI” Or several particular global RPKIs. Or… Owen _______________________________________________ ARIN-PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List ([email protected]). Unsubscribe or manage your mailing list subscription at: https://lists.arin.net/mailman/listinfo/arin-ppml Please contact [email protected] if you experience any issues.
