On Jan 5, 2011, at 5:32 PM, Randy Bush wrote: >> 1) If ARIN doesn't provide the level of authentication you desire, as >> an ARIN member you should send a note to ppml each day until it's >> available > > this is not address policy. this is ops. surely one does not have to > dirty one's self with the ppml list to get an ops fix done in arin. it > is not address policy. > > i have a rumor that arin is delaying and possibly not doing rpki that > seems to have been announced on the ppml list (to which i do not > subscribe). as it has impact on routing, not address policy, across > north america and, in fact the globe, one would think it would be > announced and discussed a bit more openly and widely.
Randy - Excellent point; my apologies for not realizing this sooner and posting some information directly for consideration by the NANOG community. Attached is a message from the arin-discuss mailing list which has some more context; please feel free to discuss this on the arin-discuss mailing list or here on NANOG (as appropriate) Thanks! /John Begin forwarded message: > From: John Curran <jcur...@arin.net> > Date: January 6, 2011 11:08:39 AM EST > To: "George, Wes E [NTK]" <wesley.e.geo...@sprint.com> > Cc: "arin-disc...@arin.net" <arin-disc...@arin.net> > Subject: Re: [arin-discuss] Important Update Regarding Resource Certification > > On Jan 6, 2011, at 9:32 AM, George, Wes E [NTK] wrote: > >> There have been some threads about this on NANOG in the last few days. Can >> we get a bit clearer explanation of what the specific security concerns are >> and why they are delaying things? It may also make sense for someone from >> ARIN to post to NANOG with an explanation as well. If there are security >> concerns, it is something that the community should be aware of in case >> other RIRs or the SIDR WG need to be considering those issues as well. >> >> Thanks, >> Wes George > > George - > > The security concerns are not specificly related to the RPKI > protocol, but inherent implications of any service that might > be heavily relied upon for real-time network operations, i.e. > I don't think it's a SIDR WG matter, but simply part of the > due diligence associated with the service as noted below. > > While the RIRs presently provide services which are used to > support operations (such as WHOIS and Reverse DNS services), > failure of RIR resource certification services could have > some very significant consequences, particularly in the case > of incorrect data as opposed to simply unavailable data. > There are some potential liability implications of operating > such a service that ARIN is presently reviewing in depth. I > need to also note that these issues exist even in the case of > a perfectly secure and operational service, in that an error > by an ISP using ARIN's services (e.g. having entered the wrong > AS number into a ROA for a major customer) could result in > ARIN needing to readily "prove" the integrity of its resource > certification system as well as fidelity of performance against > the operators request. > > This has led ARIN to consider some aspects of its resource > certification design, specifically to mitigate potential risks > in the areas of non-repudiation and multi-party controls. Even > so, the ultimate decision in these matters lies with the ARIN > Board, as there is always going to be residual risk associated > with any operations-related service provided by ARIN (note also > that we have also discussed these issues with the other RIRs, > but as they don't operate in ARIN's highly-litigous region, it > is not necessarily a similar priority for their consideration) > > To the extent that ARIN offering resource certification services > is important to your plans, it would good to express such needs > on the arin-discuss mailing list. This helps us gauge the demand > which obviously is another important factor to be considered in > making the final determination on offering these services. > > We intend to have more detailed information out later this month > once the plans for finalized, but I hope the above information > provides some insight into the process at this point. I will > post this to the NANOG list for the community's information. > > Thanks! > /John > > John Curran > President and CEO > ARIN > > p.s. I'm presently on a Caribbean cruise ship on a bona fide > family vacation, so please recognize that replies may > be deferred to off hours so that my laptop isn't thrown > overboard... ;-)