On Aug 23, 2012, at 12:09 PM, Murphy, Sandra wrote: > Speaking as regular ol' member > > On Wednesday, August 22, 2012 10:41 PM, Danny McPherson said: > >> Admittedly, I'm not certain what triggered this, but clearly, >> your email to me suggests that others have expressed concern >> of consistency and collisions, a concern expressed by the >> IAB as well. As such, I have a question below. > > The trigger was some of the concerns expressed as part of the call for > adoption of the grandparenting draft. Some of the comments concerned the > content, where suggestions were made of potential grandparent RPKI actions. > > Note that the concerns in the email exchange were principally about > inconsistencies between the RPKI and the allocation system. > > I am well aware of the IAB concerns (and thank you for leading that effort!) > and refer to them later in my message. > >> >> Sandy (or others in the know), can you shed any light on the >> process you have in mind to ensure consistency? Particularly from >> the perspective of a prospective RP? Pointers to process (e.g., >> RIR processes in the works) are fine. > > IMHO (speaking as regular ol' member), the SIDR process in mind is as the IAB > statement says: a single trust anchor. The origin ops document says "It is > assumed that eventually there will be a single root trust anchor for the > public address space."
A single trust anchor is certainly an important goal, and I think it would likely disambiguate a lot of the problems that seem to be getting raised. However, until then why don't we still need to propose a concrete consistency processes? Is the RPKI not intended to be useful before then? > > It has been pointed out that the CP says that > Each CA operating within the context of this PKI MUST employ > procedures to ensure that each certificate it issues accurately > reflects its records > which is another "process in mind" about consistency of the RPKI and the > allocation system. I think this is one very important point worth making some comments about, openly. What are the current plans to help the RPKI's structure remain consistent with the allocation hierarchy? Saying something like the above seems to be tantamount to simply charging each participant with the responsibility to try really really extra super hard to be a good citizen. However, as an RP, that's clearly cold comfort. Without outlining a transparent and rigorous process, how can consumers (the RPs) ever hope to have faith that the structure defined by the RPKI has any meaningful correlation with the actual allocation hierarchy? I think this needs to be outlined more clearly, or the overall RPKI design needs some rework in order to obviate the need for the specification of these unspecified processes. Eric _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
